Drupal Panels Module XSS Vulnerability

[Justin Klein Keane <justin () madirish net>]

Description of Vulnerability:
-----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL.  The Drupal Panels module
(http://drupal.org/project/panels) "allows a site administrator to
create customized layouts for multiple uses. At its core it is a drag
and drop content manager that lets you visually design a layout and
place content within that layout."  Unfortunately the Panels module
contains a persistent arbitrary HTML injection vulnerability (also known
as cross site scripting, or XSS) due to the fact that it fails to user
supplied input before display.

Systems affected:  
-----------------
Drupal 6.22 with Panels 6.x-3.9 was tested and shown to be vulnerable.

Impact
------
The Panels module is deployed on over 100,000 Drupal sites according to
the module project page.  User could inject arbitrary scripts into pages
affecting site users.  This could result in administrative account
compromise leading to web server process compromise.  A more likely
scenario would be for an attacker to inject hidden content (such as
iframes, applets, or embedded objects) that would attack client browsers
in an attempt to compromise site users' machines.  This vulnerability
could also be used to launch cross site request forgery (XSRF) attacks
against the site that could have other unexpected consequences.

Mitigating factors:  
-------------------
In order to exploit this vulnerability the attacker must have
credentials to an authorized account that has been assigned the 'use
page manager' and 'administer advanced pane settings' permissions.  This
could be accomplished via social engineering, brute force password
guessing, or abuse or legitimate credentials.

Proof of concept:
-----------------
1.  Install Drupal 6-22, Panels 6.x-3.9, 6.x-1.8 and Ctools module (a
prerequisite)
2.  Enable the Panels module and the page manager in Ctools
from ?q=/admin/build/modules
3.  Go to ?q=admin/build/panels/layouts/add
4.  Click 'Add flexible layout' beneath the 'Layouts' tab at the top
5.  Enter an arbitrary title, name and description
6.  Click the 'Row' link and select 'Add region to right'
7.  Enter '"><script>alert("xss1");</script><div' for the 'Region
title:'
9.  Click 'Save'
10.  Observe rendered Javascript.
11.  Click 'Save' to sae the layout, XSS will persist at the URL:
?q=admin/build/panels/layouts/list/[name]/edit where [name] is the
administrative name of the layout


Patch:
------------------------------------------
Applying the following patch mitigates this issue in version 6.x-3.9

--- ---
panels/plugins/display_renderers/panels_renderer_editor.class.php
2010-10-29 15:05:21.000000000 -0400
+++ panels/plugins/display_renderers/panels_renderer_editor.class.php
2011-11-29 21:30:34.121425387 -0500
@@ -91,7 +91,7 @@ class panels_renderer_editor extends pan
     // @todo this should be panel-region not panels-display -- but CSS
and .js has to be updated.
     $output = "<div class='panels-display'
id='panel-pane-$region_id'>";
     $output .= $panel_buttons;
-    $output .= "<h2 class='label'>" .
$this->plugins['layout']['panels'][$region_id] . "</h2>";
+    $output .= "<h2 class='label'>" .
check_plain($this->plugins['layout']['panels'][$region_id]) . "</h2>";
     $output .= $content;
     $output .= "</div>";

Vendor Response:
-----------------
Update to the latest version of Panels (ref: SA-CONTRIB-2012-011
https://drupal.org/node/1409436).

The text of this advisory is also published at
http://www.madirish.net/content/drupal-panels-6x-39-xss-vulnerability

-- 
Justin Klein Keane
http://www.MadIrish.net

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/