[IT-SecNots] [Security-news] SA-CONTRIB-2012-105 - Hashcash - Cross Site Scripting (XSS)

[security-news AT drupal.org]

View online: http://drupal.org/node/1663306

  * Advisory ID: DRUPAL-SA-CONTRIB-2012-105
  * Project: Hashcash [1] (third-party module)
  * Version: 6.x, 7.x
  * Date: 2012-June-27
  * Security risk: Moderately critical [2]
  * Exploitable from: Remote
  * Vulnerability: Cross Site Scripting

-------- DESCRIPTION  
---------------------------------------------------------

The Hashcash project is an implementation of a Proof Of Work (POW) or Puzzle
scheme where users of a service have to do computational work to have their
request granted. In the case of the Drupal Hashcash project, the service is
'form submission' and the Proof Of Work is a token that causes a partial hash
collision when concatenated with a given string. This is intended to stop
spam submissions to a site.

.... Cross Site Scripting

When an invalid token is received and the setting "Log failed hashcash" is
enabled, the invalid token is written to watchdog with incorrect
placeholders.

This enables an attacker to insert arbitrary scripts into certain pages
displayed to administrators via the core module Database logging.

Mitigation: The setting "Log failed hashcash" is disabled by default.

.... Insufficient proof of work

The Hashcash project also fails as a proper proof of work scheme:

  * 1 in 256 random answers will be accepted as the correct answer.
  * The discrepancy in resources between a legitimate user using the
    Javascript hash implementation and an optimal attacker using a GPGPU
    implementation makes the cost of calculating a Hashcash token negligible
    for the attacker.

The protection against spambots offered by the Drupal Hashcash project hinges
on the lack of interest on behalf of an attacker.

CVE: Requested

-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Hashcash 6.x-2.x versions prior to 6.x-2.6
  * Hashcash 7.x-2.x versions prior to 7.x-2.2

Drupal core is not affected. If you do not use the contributed Hashcash [3]
module, there is nothing you need to do.

-------- SOLUTION  
------------------------------------------------------------

To solve the cross site scripting issue, install the latest version:

  * If you use the Hashcash module for Drupal 6.x, upgrade to Hashcash 6.x-2.6
    [4]
  * If you use the Hashcash module for Drupal 7.x, upgrade to Hashcash 7.x-2.2
    [5]

There is no solution for the insufficient proof of work. You need to consider
the consequences of this for your sites.

Also see the Hashcash [6] project page.

-------- REPORTED BY  
---------------------------------------------------------

  * Heine Deelstra [7]

-------- FIXED BY  
------------------------------------------------------------

  * Simon Rycroft [8], the module maintainer

-------- CONTACT AND MORE INFORMATION  
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [9].

Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].


[1] http://drupal.org/project/hashcash
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/hashcash
[4] http://drupal.org/node/1650784
[5] http://drupal.org/node/1650790
[6] http://drupal.org/project/hashcash
[7] http://drupal.org/user/17943
[8] http://drupal.org/user/151544
[9] http://drupal.org/contact
[10] http://drupal.org/security-team
[11] http://drupal.org/writing-secure-code
[12] http://drupal.org/security/secure-configuration

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news