Researcher finds reflected XSS bug in Drupal 8.Drupal 8 isn’t even out yet but security experts have been hard at work auditing the code and reporting security bugs, helping the open source community strengthen one of its most beloved Content Management Systems (CMSs).
Sandeep Kamble, a security researchers for SecureLayer7, has uncovered an XSS (cross-site scripting) vulnerability in Drupal’s 8.0.0-beta14 version.
The vulnerability was found in the “\core\vendor\behat\mink\driver-testsuite\web-fixtures\issue130.php” file, which according to Kamble, contains a PHP super GLOBAL variable ($_SERVER[‘HTTP_REFERER’]) which fails to sanitize requested data.
This enables attackers to run a reflected XSS attack and execute malicious code on affected Drupal CMS versions.
Drupal’s team was quick to fix the issue, and because it was only in one of its Drupal 8 beta versions, few users were actually affected, since this version is not recommended by the Drupal team for production environments.
Kamble’s problem was that Drupal fixed the bug using non-recommended methods, at least not those recommended by Microsoft, or by the OWASP (Open Web Application Security Project) project via its XSS Prevention Cheat Sheet.