Third party theft, fire, and XSS

Drupal has addressed the knock-on effects of a recently resolved cross-site scripting (XSS) flaw in jQuery JavaScript library and Symfony’s Web Application framework, among other problems.

jQuery is integrated in Drupal core, so flaws in the component meant that sites using the popular content management package were left vulnerable. The flaw – described as a minor vulnerability fix in Object.prototype pollution – is resolved in the latest jQuery 3.4.0 release.

“jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, ...). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype,” jQuery’s security notice explains.

The bug gives rise to what Drupal described as a “moderately critical” XSS vulnerability in an advisory on Wednesday.

“It’s possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release backports the fix to jQuery.extend(), without making any other changes to the jQuery version that is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site via some other module such as jQuery Update,” according to Drupal’s security team.

Site admins are advised to update to either Drupal 8.6.15, 8.5.15 or Drupal 7.66 (as appropriate) in order to resolve the issue.

Symfony in Blue

The same set of updates resolve a number of other issues including issues with escape validation messages in a PHP templating engine (CVE-2019-10909), shortcomings in the validation of service IDs (CVE-2019-10910), and problems with cookie hashing (CVE-2019-10911). All three problems add up to a “moderately critical” security risk, according to an advisory by Drupal covering all three flaws.

All three issues relate to bugs in the Symfony component used by the Drupal core. Like the jQuery bug, a flaw in Symfony’s PHP templating engine creates an XSS risk.

The cookie hashing flaw is of particular note for admins of Single Sign-On (SSO) systems, as it could allow a malicious user to log on as someone else by tricking the system into thinking a username is a time stamp.

“Part of an expiry time in a cookie could be considered part of the username, or part of the username could be considered part of the expiry time,” Symfony’s advisory explains.

“An attacker could modify the remember me cookie and authenticate as a different user. This attack is only possible if remember me functionality is enabled and the two users share a password hash, or the password hashes (e.g. UserInterface::getPassword()) are null for all users (which is valid if passwords are checked by an external system, e.g. an SSO).”