Feeds

White House devs overlooked gaping Drupal vuln

Is there an auditor in the house?

Secure remote control for conventional and virtual desktops

A researcher has uncovered a potentially serious vulnerability in the open-source content management system used by the White House website and thousands of other sites.

The XSS, or cross-site scripting, bug resides in the Drupal Context module, a plug-in that Whitehouse.gov and about 10,000 other sites use to manage how content is viewed on their sites. According to an advisory published Monday by researcher Justin Klein Keane, the flaw allows attackers to inject malicious scripts into login pages that will reset the site's administrative password.

The discovery is notable because it comes less than three weeks after the White House released a plug-in of its own that requires use of the vulnerable Context module. It raises questions about the level of review carried out by the people who coded the Context HTTP Headers module. Administration officials installed it on the sensitive Obama website and released it to great fanfare in late April at the DrupalCon conference in San Francisco.

"My worry is that they just launched this revamped Drupal site and it doesn't look like anybody did a serious security audit," said a security researcher who has reviewed the bug and asked that his name not be used in this article. "You can find this hole without much digging, but who knows what else may or may not be there. If one had done that kind of vulnerability assessment even casually, you would expect you would uncover these kinds of things."

Officials with the Drupal project said the bug can be exploited only when attackers already have lower-level administrative privileges to the webserver. And even then, a vulnerable page would have to be set up to allow the attacker to create "blocks," which is Drupal parlance for widgets or other chunks of content.

"That's a very uncommon thing to have happen," said Greg Knaddison, a member of the Drupal security team who said he was speaking to The Register in his capacity as a partner with Growing Venture Solutions, a consultancy for websites built on Drupal. Because the vulnerability resides in a release-candidate module, the Drupal project won't be coordinating a security fix. Knaddison has posted a full set of mitigation steps here, which also includes a link to a module patch.

Drupal project managers said they had been communicating with the bug discoverer for several weeks prior to the disclosure.

The big selling point of open source software has long been that its source code can be reviewed by thousands or even millions of users, making it more likely that security flaws will be quickly diagnosed and fixed. And yet in this case, the easy-to-spot bug in the Context module went unnoticed by the White House developers even though it formed the foundation of their own revamped website and a newer module they released to world+dog.

It's not the first incident to raise questions about how Whitehouse.gov is secured.

But Knaddison said discovery of the hard-to-exploit bug was proof that the open-source model does hold up to its promise.

"This kind of points to the benefits of investigating the code at a code level versus looking at it from a black-box perspective," he said. "If you can look at the code, then it's probably something that can be found very easily." ®

Beginner's guide to SSL certificates

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?