Feeds

White House devs overlooked gaping Drupal vuln

Is there an auditor in the house?

The Power of One eBook: Top reasons to choose HP BladeSystem

A researcher has uncovered a potentially serious vulnerability in the open-source content management system used by the White House website and thousands of other sites.

The XSS, or cross-site scripting, bug resides in the Drupal Context module, a plug-in that Whitehouse.gov and about 10,000 other sites use to manage how content is viewed on their sites. According to an advisory published Monday by researcher Justin Klein Keane, the flaw allows attackers to inject malicious scripts into login pages that will reset the site's administrative password.

The discovery is notable because it comes less than three weeks after the White House released a plug-in of its own that requires use of the vulnerable Context module. It raises questions about the level of review carried out by the people who coded the Context HTTP Headers module. Administration officials installed it on the sensitive Obama website and released it to great fanfare in late April at the DrupalCon conference in San Francisco.

"My worry is that they just launched this revamped Drupal site and it doesn't look like anybody did a serious security audit," said a security researcher who has reviewed the bug and asked that his name not be used in this article. "You can find this hole without much digging, but who knows what else may or may not be there. If one had done that kind of vulnerability assessment even casually, you would expect you would uncover these kinds of things."

Officials with the Drupal project said the bug can be exploited only when attackers already have lower-level administrative privileges to the webserver. And even then, a vulnerable page would have to be set up to allow the attacker to create "blocks," which is Drupal parlance for widgets or other chunks of content.

"That's a very uncommon thing to have happen," said Greg Knaddison, a member of the Drupal security team who said he was speaking to The Register in his capacity as a partner with Growing Venture Solutions, a consultancy for websites built on Drupal. Because the vulnerability resides in a release-candidate module, the Drupal project won't be coordinating a security fix. Knaddison has posted a full set of mitigation steps here, which also includes a link to a module patch.

Drupal project managers said they had been communicating with the bug discoverer for several weeks prior to the disclosure.

The big selling point of open source software has long been that its source code can be reviewed by thousands or even millions of users, making it more likely that security flaws will be quickly diagnosed and fixed. And yet in this case, the easy-to-spot bug in the Context module went unnoticed by the White House developers even though it formed the foundation of their own revamped website and a newer module they released to world+dog.

It's not the first incident to raise questions about how Whitehouse.gov is secured.

But Knaddison said discovery of the hard-to-exploit bug was proof that the open-source model does hold up to its promise.

"This kind of points to the benefits of investigating the code at a code level versus looking at it from a black-box perspective," he said. "If you can look at the code, then it's probably something that can be found very easily." ®

Designing a Defense for Mobile Applications

More from The Register

next story
DARPA-derived secure microkernel goes open source tomorrow
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.