Drupal today released an update that patches a cross-site scripting vulnerability in a popular spam and content moderation module used by websites built on the open source CMS.
The vulnerability was in a feature of the Mollom module that is installed on at least 60,000 sites, said Drupal security team volunteer Greg Knaddison, director of engineering at Card.com, a provider of prepaid Visa and MasterCard credit cards. The vulnerable feature is not enabled by default, Knaddison said, and depending on how it’s configured, would require legitimate credentials in order to access it.
“People can use the module to report content as inappropriate. An admin would review the content and mark it as spam, for example. The vulnerability is in some of that code,” Knaddison said. “If an attacker is able to create content on a site configured to use that feature, he would be able to execute a cross-site scripting attack inside the admin’s browser.”
Successfully exploiting the vulnerability would give an attacker admin-level access to sites and enable him to hijack sessions or steal data.
Knaddison said the vulnerability was identified through the Card.com bug bounty program which is managed through Bugcrowd. A Bugcrowd participant with success in finding Drupal bugs looked for bugs in a number of modules including Mollom and found this particular issue, which was rated moderately critical by Drupal.
“Mollom is installed on at least 60,000 sites, and while some of those may be developer sites, that seems like a big number to me,” Knaddison said. “Drupal is in use on about one million sites, so 60,000 may be relatively small, but having the ability to get admin control on sites, 60,000 seems like a lot.”
Knaddison said that it’s unlikely this issue has been exploited in the wild. He said Drupal tracks reports of attacks against websites built on the CMS, in particular the modules targeted. He said he’s seen no spike in attacks against Drupal sites recently, in particular those running the Mollom module.
Mollom, meanwhile, is marketed as an intelligent content moderation service. Knaddison said the module analyzes content that is submitted as spam, for example, comparing the content and IP address of the submitter to known spam sites and trends. The module will either mark it as spam and block it, let it go, or if unsure, present the user with a Captcha.
“It’s a smarter way to put a Captcha in front of the user,” Knaddison said.
A Drupal advisory said the vulnerability is mitigated by the fact an attacker must have a role with permission assigned to create content and the content type must be enabled to “Flag as Inappropriate.”
“When reporting content, the content title is not sufficiently sanitized to prevent cross-site scripting attacks,” the advisory said.
Affected versions are:
Mollom 6.x-2.x versions from 6.x-2.7 to 6.x-2.10 and Mollom 7.x-2.x versions from 7.x-2.9 to 7.x-2.10
Drupal 6.x users should upgrade their Mollom module to 6.x-2.11; Drupal 7.x to Mollom 7.x-2.11.