Drupal’s popular open source web content management system ranks third behind WordPress and Joomla, and is used by many organizations including The Economist, Harvard University, Tesla Motors, Pfizer, the Australian government, and The White House.
Despite its popularity and sturdy reputation, it was discovered recently that Drupal 8.0.x is susceptible to cross-site scripting (XSS) vulnerability.
Good and Bad News
Let’s start with the good news. The latest XSS vulnerability in Drupal only affects clients who are using Internet Explorer 8, which accounts to ±0.3 percent of the population. However, given that an attacker can execute arbitrary JavaScript code with serious consequences on those users it’s important to protect against this.
The not-so good news is that there is no official patch for this vulnerability yet as of this writing.
Internet Explorer 8
The reason the vulnerability works with Internet Explorer 8, is that it’s a forgiving browser, that “autocorrects” a syntax error where `
is used instead of “
or ‘
. By doing so, an attacker can use `
to terminate a string, and start writing code which will be rendered and executed on the client’s browser.
The vulnerability was published by Rafay Baloch, a security researcher from Pakistan. Drupal’s XSS filter does not filter the `
character, which allows an attacker to run payloads with a `
delimiting the script from the text, specifically in the autocomplete module of Drupal.
So What Can Attackers Do?
When an input is sent to a client without being verified (by the application or by the web application firewall), it may contain bits of code that are executed on the client’s browser. When used by a malicious actor, there may be bits of JavaScript, which are executed on the target browser with the intent to:
• Hijack session cookies and gain access to user sessions and accounts.
• Operate a browser keylogger, which sends user keystrokes to the attacker.
• Turn the user into a temporary bot to help execute attacks, such as DDoS, on other sites.
Escaping the inputs sanitizes the content and attempts to execute code that are either blocked or deleted. However, this goes to show that even on such a popular application, such flaws exists, which is why in order to secure the websites, using a layered approach with a web application firewall on top of the application layer validation is crucial.
In Conclusion
The Imperva Incapsula research team has verified that both Incapsula WAF, and SecureSphere WAF can block attacks attempting to exploit this vulnerability out-of-the-box.
If you have comments for us, we’d love to hear them or email us your questions.
Try Imperva for Free
Protect your business for 30 days on Imperva.