Security Researcher Disappointed with How an XSS Bug Was Fixed in Drupal 8

Share this…

Researcher finds reflected XSS bug in Drupal 8.Drupal 8 isn’t even out yet but security experts have been hard at work auditing the code and reporting security bugs, helping the open source community strengthen one of its most beloved Content Management Systems (CMSs).

Sandeep Kamble, a security researchers for SecureLayer7, has uncovered an XSS (cross-site scripting) vulnerability in Drupal’s 8.0.0-beta14 version.

The vulnerability was found in the “\core\vendor\behat\mink\driver-testsuite\web-fixtures\issue130.php” file, which according to Kamble, contains a PHP super GLOBAL variable ($_SERVER[‘HTTP_REFERER’]) which fails to sanitize requested data.

Security Researcher Disappointed with How an XSS Bug Was Fixed in Drupal 8

This enables attackers to run a reflected XSS attack and execute malicious code on affected Drupal CMS versions.

Drupal’s team was quick to fix the issue, and because it was only in one of its Drupal 8 beta versions, few users were actually affected, since this version is not recommended by the Drupal team for production environments.

Kamble’s problem was that Drupal fixed the bug using non-recommended methods, at least not those recommended by Microsoft, or by the OWASP (Open Web Application Security Project) project via its XSS Prevention Cheat Sheet.

“They have decided to use ‘.htaccess’ as patch, which is not a proper mechanism to patch away this XSS, no filter or encoders have been used,” says Kamble, which goes on to recommend “several other mechanisms can be used for successful filtering & encoding such as HtmlEncode, HtmlAttributeEncode, JavaScriptEncode etc..”