Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
When I test my website with Netsparker, I see result lines like below:
mydrupalsite/print/nodeID/%22ns=%22alert(0x00C8DF) (URI-BASED)
When we checked those results, they look like false positive. But Netsparker says, "Netsparker is the only False-positive-free web application security scanner." in their website.
Can somebody check this security alert?
Comments
Comment #1
jcnventura CreditAttribution: jcnventura commentedDepends if your already updated to 7.x-1.x-dev is current or not.
You're describing SA-CONTRIB-2012-057 which was fixed about a year ago.
Comment #2
Orkut Murat YılmazI'm using print module version: 7.x-1.x-dev date: 2012-Sep-20
Comment #3
jcnventura CreditAttribution: jcnventura commentedThen it must be a false positive. Have you tried the above in your site? Does the alert pop-up?
Comment #4
Orkut Murat YılmazYes, I tried and alert didn't work.
And I also asked to some guys from Netsparker. They said that, "if it's marked as possible, it may be a false positive. but if it's marked as confirmed, it's positive".
Actually tests had done by some other team, now I'm mailing with them. If they'll inform me, I'll share the last situation here.
Comment #5
Orkut Murat YılmazOk now we have diagnosed what's been going on.
Test team sent us a much more detailed report.
If we go to the URL I pasted below, aler works.
mydrupalsite/print/nodeID/%22%20onmouseover=%22javascript:alert%28%27XSS%27%29%22
So we have checked the node and have seen that the node contains a views slideshow. So that XSS gets activated with onmouseover behaviour.
Now, we have deactivated printing for those nodetypes. Actually nobody needs printing support for slideshows in our scenario.
So, should this bug need to be fixed?
Netsparker did a good job. I congratulate them for this reports.
Comment #6
jcnventura CreditAttribution: jcnventura commentedAt this point, I'm not sure where the problem is.. The module filters out that type of attack, so this shouldn't be possible anymore.. And you're telling me that it only happens on Views Slideshow pages.. Might be some weird interaction print and views_slideshows.
Does the XSS injection also work on those pages when you use the same url, but with node instead of print?
Comment #7
Orkut Murat YılmazWell I tried on the node pages, XSS didn't work. But it's still happening at the print pages.
I agree that interact print and views_slideshows is weird (and we disabled print support for slideshows). For that reason I'm not sure about this issue. Is it still a bug or security issue?
Comment #8
jcnventura CreditAttribution: jcnventura commentedHonestly, at this moment I'd have to reproduce it. And I can't.
I've created a security issue with the security team (which is what you should done to begin with, but that's moot now). Maybe we'll be able to understand what type of conditions can trigger this.
Closing this as a duplicate of the security issue.
Comment #9
Orkut Murat YılmazThanks for your help.
Comment #11
alexandrezia CreditAttribution: alexandrezia commentedSorry for re-openning this issue, but I have a problem with this commit: 2b7a3610f75a2c62a8b0ceabf1a01b0ddc92b44d
It broke putting an image on generated PDF file.
In my module:
In my template:
One commit behind, the image shows OK!
But on this commit, the image can't load.
Thanks in advance
Comment #12
Orkut Murat Yılmaz