Feeds

White House devs overlooked gaping Drupal vuln

Is there an auditor in the house?

Intelligent flash storage arrays

A researcher has uncovered a potentially serious vulnerability in the open-source content management system used by the White House website and thousands of other sites.

The XSS, or cross-site scripting, bug resides in the Drupal Context module, a plug-in that Whitehouse.gov and about 10,000 other sites use to manage how content is viewed on their sites. According to an advisory published Monday by researcher Justin Klein Keane, the flaw allows attackers to inject malicious scripts into login pages that will reset the site's administrative password.

The discovery is notable because it comes less than three weeks after the White House released a plug-in of its own that requires use of the vulnerable Context module. It raises questions about the level of review carried out by the people who coded the Context HTTP Headers module. Administration officials installed it on the sensitive Obama website and released it to great fanfare in late April at the DrupalCon conference in San Francisco.

"My worry is that they just launched this revamped Drupal site and it doesn't look like anybody did a serious security audit," said a security researcher who has reviewed the bug and asked that his name not be used in this article. "You can find this hole without much digging, but who knows what else may or may not be there. If one had done that kind of vulnerability assessment even casually, you would expect you would uncover these kinds of things."

Officials with the Drupal project said the bug can be exploited only when attackers already have lower-level administrative privileges to the webserver. And even then, a vulnerable page would have to be set up to allow the attacker to create "blocks," which is Drupal parlance for widgets or other chunks of content.

"That's a very uncommon thing to have happen," said Greg Knaddison, a member of the Drupal security team who said he was speaking to The Register in his capacity as a partner with Growing Venture Solutions, a consultancy for websites built on Drupal. Because the vulnerability resides in a release-candidate module, the Drupal project won't be coordinating a security fix. Knaddison has posted a full set of mitigation steps here, which also includes a link to a module patch.

Drupal project managers said they had been communicating with the bug discoverer for several weeks prior to the disclosure.

The big selling point of open source software has long been that its source code can be reviewed by thousands or even millions of users, making it more likely that security flaws will be quickly diagnosed and fixed. And yet in this case, the easy-to-spot bug in the Context module went unnoticed by the White House developers even though it formed the foundation of their own revamped website and a newer module they released to world+dog.

It's not the first incident to raise questions about how Whitehouse.gov is secured.

But Knaddison said discovery of the hard-to-exploit bug was proof that the open-source model does hold up to its promise.

"This kind of points to the benefits of investigating the code at a code level versus looking at it from a black-box perspective," he said. "If you can look at the code, then it's probably something that can be found very easily." ®

Internet Security Threat Report 2014

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
State Dept shuts off unclassified email after hack. Classified mail? That's CLASSIFIED
Classified systems 'not affected' - but, is this reconnaissance?
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.