Re: XSS in Drupal Better Formats Module

[Henri Salo <henri () nerv fi>]

On Tue, 27 Apr 2010 12:07:17 -0400
"Justin C. Klein Keane" <justin () madirish net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Description of Vulnerability:
> - -----------------------------
> Drupal (http://drupal.org) is a robust content management system (CMS)
> written in PHP and MySQL.  The Drupal Better Formats module
> (http://drupal.org/project/better_formats) contains a cross site
> scripting (XSS) vulnerability due to the fact that it fails to
> sanitize format names before display.
>
> Systems affected:
> - -----------------
> Drupal 6.16 with Better Formats 6.x-1.2 was tested and shown to be
> vulnerable
>
> Impact
> - ------
> User could inject arbitrary scripts into pages affecting site users.
> This could result in administrative account compromise leading to web
> server process compromise.
>
> Mitigating factors:
> - -------------------
> In order to execute arbitrary script injection malicious users must
> have 'Administer filters' permission.  The Drupal security team has
> classified vulnerabilities that require this permission
> (http://drupal.org/node/475848) as "display bugs" because access to
> this permission allows for alteration of input specifications that
> could allow users with permissions to create content to craft
> arbitrary PHP. However, in a situation where a user had "administer
> filters" permission but could not create content this vulnerability
> could be used to attack other Drupal users.
>
> Patch:
> - ------------------------------------------
> Applying the following patch mitigates this issue in version 6.x-1.2.
>
> - --- better_formats/better_formats.module    2010-02-05
> 08:59:18.000000000 -0500
> +++ better_formats/better_formats.module      2010-04-27
> 11:35:53.444189426 -0400 @@ -537,7 +537,7 @@ function
> better_formats_filter_form($val
>
>      $form = array(
>        '#type' => 'fieldset',
> - -      '#title' => $fieldset_title,
> +      '#title' => check_plain($fieldset_title),
>        '#collapsible' => $collapsible,
>        '#collapsed' => $collapsed,
>        '#weight' => $weight,
> @@ -551,7 +551,7 @@ function better_formats_filter_form($val
>        $parents_for_id = array_merge($parents,
> array($format->format)); $form[$format->format] = array(
>          '#type' => 'radio',
> - -        '#title' => $format->name,
> +        '#title' => check_plain($format->name),
>          '#default_value' => $default,
>          '#return_value' => $format->format,
>          '#parents' => $parents,
>
> - -- 
> Justin C. Klein Keane
> http://www.MadIrish.net
>
> The digital signature on this message can be confirmed
> using the public key at http://www.madirish.net/gpgkey
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iPsEAQECAAYFAkvXC7UACgkQkSlsbLsN1gAYFQb4mjTDJY/6KP2JQIv0pK9H/20s
> g/+dwvKFc78AQMMKqDzi3rfqF4L+RzE6bHPsKHmN7yWIxIGMccbL13rOAvarEzgZ
> jYyfC24Lbhla38p4JkwWltxPNgsH10wXLGdv+BsiFp8oZUpuAQez0N0SNxhr1mX5
> rzZ0fgBEQm7WMmgH9qyLdso1erEQ5sLgPmED5dsaYK2Z2QHBgN19Ed0P1iEZpTdy
> anFseTfo00Uts6zOd3loQ/ZeaAOAnYFZwunOtHVurFPyWpAaM1DGVAOHHWtR265d
> jQMygOdRmQ5qtV/HpA==
> =z0IC
> -----END PGP SIGNATURE-----

Have you requested CVE-identifier for this vulnerability?

---
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/