Full Disclosure mailing list archives
Drupal 5.20 and 6.14 (Core) XSS Vulnerabilities
From: Justin Klein Keane <justin () madirish net>
Date: Fri, 09 Oct 2009 15:01:56 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The full text of this disclosure is posted at http://www.madirish.net/?article=429 Description of Vulnerability: - - - ----------------------------- Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. Drupal 5.20 and 6.14 fail to properly filter the 'Site name' and 'Site slogan' variables before display in the HTML headers of the page display. Systems affected: - - - ----------------- Drupal 5.20 and Drupal 6.14 were tested and shown to be vulnerable. Impact: - - - ------- XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise. Mitigating factors: - - - ------------------- To carry out a filter based XSS exploit the attacker must have 'administer site configuration' permissions. Proof of Concept 1: - - --------------------- 1. Install Drupal 2. Change the site name via Administer -> Site configuration -> Site Information 3. Enter '</title><script>alert('xss');</script>' for the 'Name' value 4. Click the 'Save configuration' button to view the JavaScript Technical details: - - ------------------------ Drupal fails to sanitize the output of the site name in the HTML title tag, if the site name contains a closing title tag (i.e. "</title>") this will interrupt the HTML rendering in most browsers, allowing attackers to inject JavaScript. Although in many cases the JavaScript is properly escaped during the site name display, if sites use a template that obfuscates this display (such as those that use an image layer and CSS to hide the actual text of the site name) there may be no indication that an attack is occurring. This vulnerability also affects the 'Site slogan' value during the homepage display. The source of this vulnerability in Drupal 5.20 is the failure to sanitize output of the variable_get('site_name', 'Drupal) call on line 204 of themes/engines/phptemplate.engine. Similarly output is not sanitized on lines 207 and 209. The source of this vulnerability in Drupal 6.14 is the failure to sanitize output of the variable_get('site_name', 'Drupal) call on lines 1799 and 1802 of includes/theme.inc. Similarly output of the site slogan is not sanitized on line 1804. Patch for Drupal 5.20 - ---------------------- Applying the following patch mitigates these threats in Drupal 5.20. - --- themes/engines/phptemplate/phptemplate.engine 2009-05-13 12:36:22.000000000 -0400 +++ themes/engines/phptemplate/phptemplate.engine 2009-10-09 13:35:56.167099573 -0400 @@ -201,12 +201,12 @@ function phptemplate_page($content, $sho } // Construct page title if (drupal_get_title()) { - - $head_title = array(strip_tags(drupal_get_title()), variable_get('site_name', 'Drupal')); + $head_title = array(strip_tags(drupal_get_title()), strip_tags(variable_get('site_name', 'Drupal'))); } else { - - $head_title = array(variable_get('site_name', 'Drupal')); + $head_title = array(strip_tags(variable_get('site_name', 'Drupal'))); if (variable_get('site_slogan', '')) { - - $head_title[] = variable_get('site_slogan', ''); + $head_title[] = strip_tags(variable_get('site_slogan', '')); } } Patch for Drupal 6.14 - ---------------------- Applying the following patch mitigates these threats in Drupal 6.14. - --- includes/theme.inc 2009-06-18 08:04:04.000000000 -0400 +++ includes/theme.inc 2009-10-09 13:42:40.523125334 -0400 @@ -1796,12 +1796,12 @@ function template_preprocess_page(&$vari // Construct page title if (drupal_get_title()) { - - $head_title = array(strip_tags(drupal_get_title()), variable_get('site_name', 'Drupal')); + $head_title = array(strip_tags(drupal_get_title()), strip_tags(variable_get('site_name', 'Drupal'))); } else { - - $head_title = array(variable_get('site_name', 'Drupal')); + $head_title = array(strip_tags(variable_get('site_name', 'Drupal'))); if (variable_get('site_slogan', '')) { - - $head_title[] = variable_get('site_slogan', ''); + $head_title[] = strip_tags(variable_get('site_slogan', '')); } } $variables['head_title'] = implode(' | ', $head_title); Vendor Response: - ---------------- Vendor reports that this issue is already public (Ref http://drupal.org/node/461938) and requires advanced permissions (http://drupal.org/node/475848) so will not be addressed with an SA. - -- Justin C. Klein Keane http://www.MadIrish.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iQD1AwUBSs+IpJEpbGy7DdYAAQIdhgb/QQ1ez7M8TsZZZOt31FV4WvEngvviSkmX l9Bitw8v17cfDnW8ZV/z2QCO51zQRkZrpErTHAV4uNpNKPC++DTkGgBDlhBdNQX5 VMgfHxT5NQzqpv/haIh9AK4QDObSkaOZ76A+fzS6EYTawTyvhhw/dFDh0tIbrjnt U3HeLJiPVz1baJtwH3wMe0u8QQBqBBmVsIP+rYIBB5viieI/wtml2r/cpBuyZfN3 GVsxiz2qhvlwIWRQvQCPD3EiaeIdaP+z3Pt/WhiRKCiYWH8F8gulalUJc5o/T0zr DuHHaaHwOaM= =BArb -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Drupal 5.20 and 6.14 (Core) XSS Vulnerabilities Justin Klein Keane (Oct 09)