Full Disclosure mailing list archives
Drupal 6 Email Field XSS Vulnerability
From: Justin Klein Keane <justin () madirish net>
Date: Mon, 08 Jun 2009 15:15:28 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vulnerability Summary Report Author: Justin C. Klein Keane <justin () madirish net> Vendor Response: See below Details of this vulnerability are also posted at the public URL http://lampsecurity.org/drupal-6-email-field-xss-vulnerability Description of Vulnerability: - ----------------------------- Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Email Field module (http://drupal.org/project/email) is a module that extends the Content Construction Kit (CCK) module (http://drupal.org/project/cck). It allows for a CCK field type for e-mail. The Email Field module contains a cross site scripting vulnerability due to the fact that it fails to sanitize help text entered by users during content type configuration. Systems affected: - ----------------- Drupal 6.12 with Email Field 6.x-1.1 was tested and shown to be vulnerable. Impact: - ------- XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise. SQL injection attack can manipulate the Drupal database, compromising data, exposing credentials, and could allow injection of XSS attacks in node content. Mitigating factors: - ------------------- The CCK and Email Field modules must be installed must be installed. To carry out the proof of concept below the attacker must authenticate as a user with 'administer content type' permissions. Other attack vectors may exist. Proof of Concept: - ----------------- 1. Install the CCK and Email field modules 1. Log in as a user with 'Administer content types' privilege 2. Click Administer -> Content Types 3. Click 'Add a new content type' link 4. Fill in arbitrary values 5. Click 'Save content type' button 6. Click 'manage fields' under the Operations column on the 'Administer' -> 'Content management' screen for the new content type 7. Fill in a new field label and field name 8. Select 'Email' for the type of data to story 9. Click the 'Save' button 10. In the "Help text:" field enter "<script>alert('xss');</script>" 11. Click the 'Save field settings' button 12. Click the 'Configure' link next to the new 'Email' type 13. Observe JavaScript alert - -or- 12. Click 'Create content' link 13. Click link for newly created type 14. Observe JavaScript alert Vendor Response - --------------- Drupal security has consistently pointed to http://drupal.org/node/372836 in response to vulnerabilities that require 'Administer Content Type' permissions Follow up - --------- The following patch was submitted to the module maintainer and should mitigate the vulnerability (Ref: http://drupal.org/node/485492): - --- email/email.module 2008-08-12 04:12:02.000000000 -0400 +++ email_fixed/email.module 2009-06-08 15:03:40.000000000 -0400 @@ -221,7 +221,7 @@ function email_textfield_process($elemen $element[$field_key] = array( '#type' => 'textfield', '#title' => t($field['widget']['label']), - - '#description' => t($field['widget']['description']), + '#description' => check_plain(t($field['widget']['description'])), '#required' => $element['#required'], '#maxlength' => 255, '#size' => !empty($field['widget']['size']) ? $field['widget']['size'] : 60, - -- Justin C. Klein Keane http://www.MadIrish.net http://www.LAMPSecurity.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iPwEAQECAAYFAkotY1AACgkQkSlsbLsN1gB2RQcAqXaLO4AcpgXGsQcJi2QnGVDc A6eF3Bv2fu+YoMqpECsf4QjU8wimiwmlm3cOBtJOLpymwiL4Pg2it+muRfYbNcLq gS9+CCHjpTtYOygEBpy4d/mCxKxA8BfFQoEjixTvK57T05MxVevGgMjvFkblk6VZ RwUQn5YnA61NSx4HUz7E2zvK0ftT0T0HxwaKkCiccoA896dGDmByBk/bplQ1C+BM dAtco6G3MhT615k2c1T0TzxXx23+Yw5bLbmsXU1ptDbOhI1CjkAWxM+ZfCy4VB6C GGyK+UqW/h8udPjyTXE= =XKXQ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Drupal 6 Email Field XSS Vulnerability Justin Klein Keane (Jun 08)