Drupal Answers Module Contains XSS Vulnerability

[Justin Klein Keane <justin () madirish net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

* Date: Sept 12, 2008
* Security risk: medium
* Exploitable from: Remote
* Vulnerability: Cross site scripting

Description

Drupal is a robust content management system (CMS) that provides
extensibility through hundreds of third party modules.  While the
security of Drupal core modules is vetted by a central security team,
third party modules are not reviewed for security.

The Answers module (http://drupal.org/project/answers), created by
"Drupal experts" TickleSpace (http://ticklespace.com/) is designed to
allow users to create "quests" in the form of questions.  Users are then
allowed to post answers to these quests.  However, the answers submitted
by users are not properly sanitized, leading to cross site scripting
vulnerabilities.  When a user posts a Simple Answer, using the link
provided in nodes that are questions, the data entered in the "Answer:"
text area is not sanitized for display.  Users can enter malicious
javascript or other data.  In a default configuration this data is then
rendered on the front page of the Drupal installation, subjecting users
to a cross site scripting attack.

Vulnerable Versions

5.x-1.x-dev, dated 2008-May-22 was tested and shown vulnerable.

Testing for Vulnerability

Entering a value of "<script>alert('foo');</script>" as an answer will
cause an alert box with the text "foo" to appear whenever the answer is
displayed.

Impact

Depending on configuration, this vulnerability allows unauthenticated
users to remotely inject malicious content that could be displayed to
all web site users.  Such content could include links to malware that
could lead to possible system compromise.

Determining Version

The answers.info page for vulnerable versions displays the following
information:

; $Id: answers.info,v 1.1 2008/01/09 05:12:23 amanuel Exp $
name = Questions
description =  Allows users track their questions.
package = "Answers"

; Information added by drupal.org packaging script on 2008-05-22
version = "5.x-1.x-dev"
project = "answers"
datestamp = "1211414452"

Determining version information on Drupal sites is trivial in many cases
(ref http://www.madirish.net/?article=214).

Vendor Response

The module developer has not responded to contact attempts.

- --
Mad Irish
http://www.MadIrish.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBSMp1CZEpbGy7DdYAAQKfmwb/XcYp9dDrE5j9AbO2r9Mt6rnhVKBL/jsT
p4ty8q4U34rsv9aI8pj2Pje/bbs+ryyI+HroeS7isnt7La1O7XZUc/NHONxAB6F/
x1K9LgF1YWHidOk6eTbJ9kZ95yf55lBjAZi87+NWyORAId4hhC+SKIHwPA6xmkGM
o764yXAEbcHSU98T+OnHesxXPor8p60sukPmMd5OA0f3dYPFPXVe7tfjgQL09SRO
gXQjvmKTfyBdJkEWBnM7LFir7aC6f7iI9ygCEPryokF5tD/fyaxnh1U09q6d62u6
24fdlKKK08g=
=e9jj
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/