Feeds

White House devs overlooked gaping Drupal vuln

Is there an auditor in the house?

Build a business case: developing custom apps

A researcher has uncovered a potentially serious vulnerability in the open-source content management system used by the White House website and thousands of other sites.

The XSS, or cross-site scripting, bug resides in the Drupal Context module, a plug-in that Whitehouse.gov and about 10,000 other sites use to manage how content is viewed on their sites. According to an advisory published Monday by researcher Justin Klein Keane, the flaw allows attackers to inject malicious scripts into login pages that will reset the site's administrative password.

The discovery is notable because it comes less than three weeks after the White House released a plug-in of its own that requires use of the vulnerable Context module. It raises questions about the level of review carried out by the people who coded the Context HTTP Headers module. Administration officials installed it on the sensitive Obama website and released it to great fanfare in late April at the DrupalCon conference in San Francisco.

"My worry is that they just launched this revamped Drupal site and it doesn't look like anybody did a serious security audit," said a security researcher who has reviewed the bug and asked that his name not be used in this article. "You can find this hole without much digging, but who knows what else may or may not be there. If one had done that kind of vulnerability assessment even casually, you would expect you would uncover these kinds of things."

Officials with the Drupal project said the bug can be exploited only when attackers already have lower-level administrative privileges to the webserver. And even then, a vulnerable page would have to be set up to allow the attacker to create "blocks," which is Drupal parlance for widgets or other chunks of content.

"That's a very uncommon thing to have happen," said Greg Knaddison, a member of the Drupal security team who said he was speaking to The Register in his capacity as a partner with Growing Venture Solutions, a consultancy for websites built on Drupal. Because the vulnerability resides in a release-candidate module, the Drupal project won't be coordinating a security fix. Knaddison has posted a full set of mitigation steps here, which also includes a link to a module patch.

Drupal project managers said they had been communicating with the bug discoverer for several weeks prior to the disclosure.

The big selling point of open source software has long been that its source code can be reviewed by thousands or even millions of users, making it more likely that security flaws will be quickly diagnosed and fixed. And yet in this case, the easy-to-spot bug in the Context module went unnoticed by the White House developers even though it formed the foundation of their own revamped website and a newer module they released to world+dog.

It's not the first incident to raise questions about how Whitehouse.gov is secured.

But Knaddison said discovery of the hard-to-exploit bug was proof that the open-source model does hold up to its promise.

"This kind of points to the benefits of investigating the code at a code level versus looking at it from a black-box perspective," he said. "If you can look at the code, then it's probably something that can be found very easily." ®

The essential guide to IT transformation

More from The Register

next story
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Know what Ferguson city needs right now? It's not Anonymous doxing random people
U-turn on vow to identify killer cop after fingering wrong bloke
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.