Researcher finds reflected XSS bug in Drupal 8.Drupal 8 isn’t even out yet but security experts have been hard at work auditing the code and reporting security bugs, helping the open source community strengthen one of its most beloved Content Management Systems (CMSs).
Sandeep Kamble, a security researchers for SecureLayer7, has uncovered an XSS (cross-site scripting) vulnerability in Drupal’s 8.0.0-beta14 version.
The vulnerability was found in the “\core\vendor\behat\mink\driver-testsuite\web-fixtures\issue130.php” file, which according to Kamble, contains a PHP super GLOBAL variable ($_SERVER[‘HTTP_REFERER’]) which fails to sanitize requested data.
This enables attackers to run a reflected XSS attack and execute malicious code on affected Drupal CMS versions.
Drupal’s team was quick to fix the issue, and because it was only in one of its Drupal 8 beta versions, few users were actually affected, since this version is not recommended by the Drupal team for production environments.
Kamble’s problem was that Drupal fixed the bug using non-recommended methods, at least not those recommended by Microsoft, or by the OWASP (Open Web Application Security Project) project via its XSS Prevention Cheat Sheet.
“They have decided to use ‘.htaccess’ as patch, which is not a proper mechanism to patch away this XSS, no filter or encoders have been used,” says Kamble, which goes on to recommend “several other mechanisms can be used for successful filtering & encoding such as HtmlEncode, HtmlAttributeEncode, JavaScriptEncode etc..”
Source:https://news.softpedia.com/
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.