By Dan Goodin in San Francisco
10th May 2010
A researcher has uncovered a potentially serious vulnerability in the
open-source content management system used by the White House website
and thousands of other sites.
The XSS, or cross-site scripting, bug resides in the Drupal Context
module, a plug-in that Whitehouse.gov and about 10,000 other sites use
to manage how content is viewed on their sites. According to an advisory
published Monday by researcher Justin Klein Keane, the flaw allows
attackers to inject malicious scripts into login pages that will reset
the site's administrative password.
The discovery is notable because it comes less than three weeks after
the White House released a plug-in of its own that requires use of the
vulnerable Context module. It raises questions about the level of review
carried out by the people who coded the Context HTTP Headers module.
Administration officials installed it on the sensitive Obama website and
released it to great fanfare in late April at the DrupalCon conference
in San Francisco.
"My worry is that they just launched this revamped Drupal site and it
doesn't look like anybody did a serious security audit," said a security
researcher who has reviewed the bug and asked that his name not be used
in this article. "You can find this hole without much digging, but who
knows what else may or may not be there. If one had done that kind of
vulnerability assessment even casually, you would expect you would
uncover these kinds of things."
Best Selling Security Books and More!
Shop InfoSec News