Response to CVE-2014-1607: a purported XSS vulnerability in Event Calendar

Events happening in the community are now at Drupal community events on www.drupal.org.
Posted by Drupal Security Team on January 29, 2014 at 8:44pm

CVE-2014-1607 Claims to be a vulnerability in Drupal 7.14 and probably newer versions.

We were unable to reproduce the issue on a fresh Drupal 7.x-dev installation with Event Calendar 7.x-1.4, the latest release.

The description provided by HelpAG in public (NVD), SecurityFocus) and their original messages to the Drupal Security Team failed to include a set of steps to reproduce the problem other than instructions to visit "eventcalander/2013%22%20onmouseover%3dalert%28%27XSSed%27%29%20bad%3d%22". In private communications they clarify that the issue is in the Event Calendar module "release version 7. upwards."

As this video demonstrates, the vulnerability cannot be reproduced as described.

Steps followed in the video:

  1. Install Event Calendar module version 7.x-1.4 or 7.x-1.0
  2. Visit event-created/month/2013"onmouseover%3dalert("XSSed") bad%3d"-11#
  3. View page source and note that all instances of the malicious string have been escaped so they will not be interpreted
  4. Attempt to mouseover the page to trigger execution, note that it doesn't work

We tested the default views provided by the event_calendar. These do not include the path segment "eventcalendar/".

In addition, review of the event calendar module and the views it defines, did not result in us finding code vulnerable to this cross site scripting issue.

An investigation of the vulnerable site as anonymous visitors allowed us to determine that the vulnerability was not created by the Event Calendar module, but by site-specific configuration or code.

We closed the issue as "works as designed" with a request for additional information. Unfortunately, we never received sufficient information to reproduce the problem outside of the reporter's client's site.

Side-note on versions

Drupal core is versioned in the form major.minor, so 7.14 is a version of Drupal. Drupal's modules are versioned in the form corecompat.x-major.minor so 7.x-1.4 is the 5th release in the 1.x branch of the event_calendar module and it is compatible with Drupal 7.

Timeline of major events

  • Fri, 2013年10月18日 19:48 - issue reported by CERT Coordination Center
  • Mon, 2013年10月21日 15:20 - Issue moved to Calendar queue
  • Tue, 2013年11月05日 20:19 - Request for additional information
  • Wed, 2013年11月13日 21:15 - Established contact with the reporter
  • Thu, 2013年11月14日 05:36 - Contact with the reporter
  • Thu, 2013年11月14日 07:43 - Request for additional information
  • Mon, 2013年11月18日 07:55 - Contact with the reporter, Event calendar implicated
  • Mon, 2013年11月18日 07:57 - Reporter send a screenshot showing a popup, but not the url, url arguments, nor html source
  • Mon, 2013年11月18日 09:35 - Drupal Security Team reported to the issue as unable to reproduce, with a request for specific, additional information
  • Wed, 2013年11月27日 06:52 - Unable to reproduce from a different team member, with a request for specific, additional information
  • Wed, 2013年11月27日 14:50 - Drupal Security Team asked for additional details
  • Thu, 2014年01月09日 17:11 - Reporter replies with (insufficiently) sanitized HTML-output from the vulnerable site. Content does not implicate the module, but a custom views header.
  • Thu, 2014年01月09日 17:12 - Closed as "works as designed" with a request for additional information
  • Thu, 2014年01月23日 - Issue is disclosed on Bugtraq
  • Mon, 2014年01月27日 - Drupal Security Team requests MITRE to investigate and revoke the CVE-2014-1607
  • Mon, 2014年01月27日 - MITRE asked the reporter to confirm or withdraw the report
  • Wed, 2014年01月29日 - MITRE marked the CVE as Disputed (no response from original reporter yet)

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

AltStyle によって変換されたページ (->オリジナル) /