Feeds

White House devs overlooked gaping Drupal vuln

Is there an auditor in the house?

Internet Security Threat Report 2014

A researcher has uncovered a potentially serious vulnerability in the open-source content management system used by the White House website and thousands of other sites.

The XSS, or cross-site scripting, bug resides in the Drupal Context module, a plug-in that Whitehouse.gov and about 10,000 other sites use to manage how content is viewed on their sites. According to an advisory published Monday by researcher Justin Klein Keane, the flaw allows attackers to inject malicious scripts into login pages that will reset the site's administrative password.

The discovery is notable because it comes less than three weeks after the White House released a plug-in of its own that requires use of the vulnerable Context module. It raises questions about the level of review carried out by the people who coded the Context HTTP Headers module. Administration officials installed it on the sensitive Obama website and released it to great fanfare in late April at the DrupalCon conference in San Francisco.

"My worry is that they just launched this revamped Drupal site and it doesn't look like anybody did a serious security audit," said a security researcher who has reviewed the bug and asked that his name not be used in this article. "You can find this hole without much digging, but who knows what else may or may not be there. If one had done that kind of vulnerability assessment even casually, you would expect you would uncover these kinds of things."

Officials with the Drupal project said the bug can be exploited only when attackers already have lower-level administrative privileges to the webserver. And even then, a vulnerable page would have to be set up to allow the attacker to create "blocks," which is Drupal parlance for widgets or other chunks of content.

"That's a very uncommon thing to have happen," said Greg Knaddison, a member of the Drupal security team who said he was speaking to The Register in his capacity as a partner with Growing Venture Solutions, a consultancy for websites built on Drupal. Because the vulnerability resides in a release-candidate module, the Drupal project won't be coordinating a security fix. Knaddison has posted a full set of mitigation steps here, which also includes a link to a module patch.

Drupal project managers said they had been communicating with the bug discoverer for several weeks prior to the disclosure.

The big selling point of open source software has long been that its source code can be reviewed by thousands or even millions of users, making it more likely that security flaws will be quickly diagnosed and fixed. And yet in this case, the easy-to-spot bug in the Context module went unnoticed by the White House developers even though it formed the foundation of their own revamped website and a newer module they released to world+dog.

It's not the first incident to raise questions about how Whitehouse.gov is secured.

But Knaddison said discovery of the hard-to-exploit bug was proof that the open-source model does hold up to its promise.

"This kind of points to the benefits of investigating the code at a code level versus looking at it from a black-box perspective," he said. "If you can look at the code, then it's probably something that can be found very easily." ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
You dirty RAT! Hong Kong protesters infected by iOS, Android spyware
Did China fling remote access Trojan at Occupy Central?
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.