Full Disclosure mailing list archives
Drupal Wikitools 6.x-1.2 and 5.x-1.3 XSS Vulnerability
From: Justin Klein Keane <justin () madirish net>
Date: Fri, 09 Oct 2009 14:53:50 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Full details of this report are posted at http://www.madirish.net/?article=430 Description of Vulnerability: - - - ----------------------------- Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Wikitools module (http://drupal.org/project/wikitools) "provides some settings to get a more wiki-like behavior. It aims to be lightweight; all features are optional, and it provides no database tables of its own." The Wikitools module contains a cross site scripting vulnerability because it does not properly sanitize output of content types before display. Systems affected: - - - ----------------- Wikitools 6.x-1.2 and 5.x-1.3 were tested and shown to be vulnerable. Impact: - - - ------- XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise. Mitigating factors: - - - ------------------- The Wikitools module must be installed. To carry out a Site map based XSS exploit the attacker must have 'administer content type' permissions. Proof of Concept: - - --------------------- 1. Install Drupal 2. Install Wikitools 3. Create a new content type from Administer -> Content management -> Content types -> Add content type 4. Enter "<script>alert('xss');</script>" for the content type name and save the new content type 5. Enable the Wikitools module from Administer -> Site Building -> Modules 6. Click on Administer -> Site configuration -> Wikitools to observe the JavaScript Technical details: - - ------------------------ The Wikitools module fails to sanitize the output of content type names before display, leading to an arbitrary HTML injection vulnerability. Patch for wikitools 5.x-1.3 - --------------------------- Applying the following patch mitigates these threats in Wikitools 5.x-1.3. - --- wikitools/wikitools.module 2009-03-25 15:15:47.000000000 -0400 +++ wikitools.fixed/wikitools.module 2009-10-09 12:04:03.055556867 -0400 @@ -132,7 +132,7 @@ function wikitools_admin_settings() { $form['wikitools_node_types'] = array( '#type' => 'checkboxes', '#title' => t('Wiki node types'), - - '#options' => node_get_types('names'), + '#options' => array_map('filter_xss', node_get_types('names')), '#size' => count(node_get_types('names')), '#default_value' => wikitools_node_types(), '#multiple' => TRUE, Patch for wikitools 6.x-1.2 - --------------------------- Applying the following patch mitigates these threats in Wikitools 6.x-1.2. - --- wikitools/wikitools.admin.inc 2009-06-17 23:57:33.000000000 -0400 +++ wikitools/wikitools.admin.inc 2009-10-09 14:38:06.020099834 -0400 @@ -37,7 +37,7 @@ function wikitools_admin_settings() { $form['wikitools_node_types'] = array( '#type' => 'checkboxes', '#title' => t('Wiki node types'), - - '#options' => node_get_types('names'), + '#options' => array_map('filter_xss', node_get_types('names')), '#default_value' => wikitools_node_types(), '#multiple' => TRUE, '#description' => t('Select the node types which will be affected by the specified options. If you select multiple node types, all nodes of these types will be searched for when a wikipath is entered. If a wikipage doesn\'t exist, an option to create any of these types will be given.'), Vendor Response - --------------- In the past the vendor has responded that vulnerabilities requiring 'administer content types' privileges have already been addressed by SA-CORE-2009-002 (http://drupal.org/node/372836) and thus are not classified as security vulnerabilities, but rather as bugs. - -- Justin C. Klein Keane http://www.MadIrish.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iQD1AwUBSs+GvpEpbGy7DdYAAQJ19AcAtAxbnQ9zj+yIJTbQHRdccYUL/KSY3Bor 23ijR4wx03EDvCQiAgjPpu7BkB/ITfuQjMGT67IkVW7AJv6sw7Y20/TZp3wtSl/F nSPDYGiENi0KWpLNOKiW9iCtzs8bBZ4t0kCMKYOvxliWQQsHvfZocna9W903K5PS nhfOWTusNiEO2sf5lenZA4z/1nUiTzfOtilwNvDlIVcW8BuZ04+9rCCSC6eK9krU b0k3p1Kysp4N3p5ZPotanI/3X7JATvec9zFD4UZlFIF/BeZPd9mnt9xOaMTOYs06 pkIJkOaLoGc= =2wi+ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Drupal Wikitools 6.x-1.2 and 5.x-1.3 XSS Vulnerability Justin Klein Keane (Oct 09)
- <Possible follow-ups>
- Drupal Wikitools 6.x-1.2 and 5.x-1.3 XSS Vulnerability Justin Klein Keane (Oct 09)