Full Disclosure mailing list archives
Drupal 6.15 (core) Profile Module XSS Vulnerability
From: "Justin C. Klein Keane" <justin () madirish net>
Date: Wed, 03 Mar 2010 15:09:35 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Details of this disclosure have been posted at http://www.madirish.net/?article=450 NB: - ----- This vulnerability was publicly described in Drupal 7 (http://drupal.org/node/611532). Furthermore the Drupal security guidelines state that vulnerabilities that require 'Administer users' do not require a security announcement (http://drupal.org/node/475848). Thus, this report serves only to call out the vulnerability in Drupal 6. Description of Vulnerability: - ----------------------------- Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through hundreds of third party modules. The profile module is provided as part of the Drupal 6 core modules and contains several arbitrary script injection vulnerabilities that can allow users with the 'administer users' permission to inject scripts into category names and explanations. Systems affected: - ----------------- Drupal 6.15 was tested and shown to be vulnerable Mitigating factors: - ------------------- Attacker must have 'administer users' and 'access administration pages" permissions in order to exploit this vulnerability. Proof of concept: - ----------------- 1. Install Drupal 6.15. 2. Enable the profile module from Administer -> Site building -> Modules 3. Go to Administer -> User management -> Profiles and click on 'single-line textfield' 4. Enter "<script>alert('xss1');</script>" for Category 5. Enter "<script>alert('xss2');</script>" for Explanation 6. Fill in arbitrary values for other fields and click 'Save field' button 7. Observe the category XSS on the resulting page 8. Click Administer -> Users, and select a user and click the 'Edit' link 9. Click the "<script>alert('xss1');</script>" tab at the top of the form 10. Observe the second XSS on the resulting page. Drupal 6 Patch - -------------- Applying the following patch mitigates these threats. - --- drupal-6.15/modules/profile/profile.admin.inc 2008-10-16 08:43:08.000000000 -0400 +++ drupal-6.15.patched/modules/profile/profile.admin.inc 2010-03-03 14:33:44.740024567 -0500 @@ -25,7 +25,7 @@ function profile_admin_overview() { $form[$field->fid]['name'] = array('#value' => check_plain($field->name)); $form[$field->fid]['title'] = array('#value' => check_plain($field->title)); $form[$field->fid]['type'] = array('#value' => $field->type); - - $form[$field->fid]['category'] = array('#type' => 'select', '#default_value' => $field->category, '#options' => array()); + $form[$field->fid]['category'] = array('#type' => 'select', '#default_value' => check_plain($field->category), '#options' => array()); $form[$field->fid]['weight'] = array('#type' => 'weight', '#default_value' => $field->weight); $form[$field->fid]['edit'] = array('#value' => l(t('edit'), "admin/user/profile/edit/$field->fid")); $form[$field->fid]['delete'] = array('#value' => l(t('delete'), "admin/user/profile/delete/$field->fid")); diff -up drupal-6.15.new/modules/profile/profile.module drupal-6.15.clean/modules/profile/profile.module - --- drupal-6.15.new/modules/profile/profile.module 2009-01-12 05:09:19.000000000 -0500 +++ drupal-6.15.clean/modules/profile/profile.module 2010-03-03 14:32:54.749038065 -0500 @@ -341,7 +341,7 @@ function _profile_form_explanation($fiel $output .= ' '. t('The content of this field is kept private and will not be shown publicly.'); } - - return $output; + return check_plain($output); } function profile_form_profile($edit, $user, $category, $register = FALSE) { - -- Justin C. Klein Keane http://www.MadIrish.net The digital signature on this message can be confirmed using the public key at http://www.madirish.net/gpgkey -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAkuOwf8ACgkQkSlsbLsN1gDDNwb8DxT9tIGOM0pxme6uadYY+j/q 26aHqh2T4mUVDsUzM6egQvGrCqQaUpagjb6b+lhZsmCvbv30Fo7l+4DXCjrKeZS9 Y2yMuY5xks3bMKtWpbiFfH8V1wb46maWH5h2d4rg6d1sbv6ZREF7lDKhMxkkMmGn 7ZHJl6bbUbgUxLIKfazxz7Gsq3CHNZrfMz3wp2tNMKeafdNG2dd5T0KJT6wlN8+G lbNsLj11U08gzhvq9jRjGUWjK9q9LZeOmBELnYBc8cNOsVeAHD4KPC/H81tCIn9i mf1cvmm0gh2/7akbF40= =mqfE -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Drupal 6.15 (core) Profile Module XSS Vulnerability Justin C. Klein Keane (Mar 03)