Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Drupal Wikitools 6.x-1.2 and 5.x-1.3 XSS Vulnerability

From: Justin Klein Keane <justin () madirish net>
Date: Fri, 09 Oct 2009 14:53:50 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Full details of this report are posted at
http://www.madirish.net/?article=430

Description of Vulnerability:
- - - -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules.  The Wikitools module
(http://drupal.org/project/wikitools) "provides some settings to get a
more wiki-like behavior. It aims to be lightweight; all features are
optional, and it provides no database tables of its own."

The Wikitools module contains a cross site scripting vulnerability
because it does not properly sanitize output of content types before
display.

Systems affected:
- - - -----------------
Wikitools 6.x-1.2 and 5.x-1.3 were tested and shown to be vulnerable.

Impact:
- - - -------
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.

Mitigating factors:
- - - -------------------
The Wikitools module must be installed.  To carry out a Site map based
XSS exploit the attacker must have 'administer content type' permissions.

Proof of Concept:
- - ---------------------
1.  Install Drupal
2.  Install Wikitools
3.  Create a new content type from Administer -> Content management ->
Content types -> Add content type
4.  Enter "<script>alert('xss');</script>" for the content type name and
save the new content type
5.  Enable the Wikitools module from Administer -> Site Building -> Modules
6.  Click on Administer -> Site configuration -> Wikitools to observe
the JavaScript

Technical details:
- - ------------------------
The Wikitools module fails to sanitize the output of content type names
before display, leading to an arbitrary HTML injection vulnerability.

Patch for wikitools 5.x-1.3
- ---------------------------
Applying the following patch mitigates these threats in Wikitools 5.x-1.3.

- --- wikitools/wikitools.module  2009-03-25 15:15:47.000000000 -0400
+++ wikitools.fixed/wikitools.module    2009-10-09 12:04:03.055556867 -0400
@@ -132,7 +132,7 @@ function wikitools_admin_settings() {
   $form['wikitools_node_types'] = array(
     '#type' => 'checkboxes',
     '#title' => t('Wiki node types'),
- -    '#options' => node_get_types('names'),
+    '#options' => array_map('filter_xss', node_get_types('names')),
     '#size' => count(node_get_types('names')),
     '#default_value' => wikitools_node_types(),
     '#multiple' => TRUE,

Patch for wikitools 6.x-1.2
- ---------------------------
Applying the following patch mitigates these threats in Wikitools 6.x-1.2.

- --- wikitools/wikitools.admin.inc       2009-06-17 23:57:33.000000000
-0400
+++ wikitools/wikitools.admin.inc 2009-10-09 14:38:06.020099834 -0400
@@ -37,7 +37,7 @@ function wikitools_admin_settings() {
   $form['wikitools_node_types'] = array(
     '#type' => 'checkboxes',
     '#title' => t('Wiki node types'),
- -    '#options' => node_get_types('names'),
+    '#options' => array_map('filter_xss', node_get_types('names')),
     '#default_value' => wikitools_node_types(),
     '#multiple' => TRUE,
     '#description' => t('Select the node types which will be affected
by the specified options. If you select multiple node types, all nodes
of these types will be searched for when a wikipath is entered. If a
wikipage doesn\'t exist, an option to create any of these types will be
given.'),

Vendor Response
- ---------------

In the past the vendor has responded that vulnerabilities requiring
'administer content types' privileges have already been addressed by
SA-CORE-2009-002 (http://drupal.org/node/372836) and thus are not
classified as security vulnerabilities, but rather as bugs.

- --
Justin C. Klein Keane
http://www.MadIrish.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iQD1AwUBSs+GvpEpbGy7DdYAAQJ19AcAtAxbnQ9zj+yIJTbQHRdccYUL/KSY3Bor
23ijR4wx03EDvCQiAgjPpu7BkB/ITfuQjMGT67IkVW7AJv6sw7Y20/TZp3wtSl/F
nSPDYGiENi0KWpLNOKiW9iCtzs8bBZ4t0kCMKYOvxliWQQsHvfZocna9W903K5PS
nhfOWTusNiEO2sf5lenZA4z/1nUiTzfOtilwNvDlIVcW8BuZ04+9rCCSC6eK9krU
b0k3p1Kysp4N3p5ZPotanI/3X7JATvec9zFD4UZlFIF/BeZPd9mnt9xOaMTOYs06
pkIJkOaLoGc=
=2wi+
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: