-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Description of Vulnerability: - - - ----------------------------- Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Service links module (http://drupal.org/project/service_links) "enables admins to add links to a number of social bookmarking sites, blog search sites etc. "
The Service Links module contains a cross site scripting vulnerability because it does not properly sanitize output of content type names before display. Systems affected: - - - ----------------- Drupal 6.14 with Service links 6.x-1.0 was tested and shown to be vulnerable. Impact: - - - ------- XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise. Mitigating factors: - - - ------------------- The Service links module must be installed. To carry out a Service links based XSS exploit the attacker must have 'administer content types' permissions. Proof of Concept: - - --------------------- 1. Install Drupal 6.14 2. Install Service links 6.x-1.0 3. Enable the Service links module from Administer -> Site building -> Modules 4. Create a new Content type from Administer -> Content management -> Content types and click 'Add content type' 5. For the 'name' field enter "<script>alert('xss');</script>" and save the content type 6. Click Administer -> Site configuration -> Service links to trigger the JavaScript Technical details: - - ------------------------ The Service links module fails to sanitize the output of the content type names before display. Applying the following patch fixes this vulnerability. Patch - - ------- Applying the following patch mitigates these threats. - --- service_links/service_links.module 2008-02-26 12:01:27.000000000 -0500 +++ service_links_fixed/service_links.module 2009-10-02 06:33:21.000000000 -0400 @@ -35,11 +35,12 @@ function service_links_admin_settings() '#title' => t('Where to show the service links'), '#description' => t('Set the node types and categories you want to display links for.'), ); + $names = array_map('filter_xss', node_get_types('names')); $form['where_to_show_the_links']['service_links_node_types'] = array( '#type' => 'checkboxes', '#title' => t('Node types'), '#default_value' => variable_get('service_links_node_types', array()), - - '#options' => node_get_types('names'), + '#options' => $names, ); if (module_exists('taxonomy')) { $form['where_to_show_the_links']['service_links_category_types'] = array( - -- Justin C. Klein Keane http://www.MadIrish.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org iPwEAQECAAYFAkrGEWkACgkQkSlsbLsN1gBl7wb+IW9Jk9N8ewZfa4mDxj8W1AVI jG20xNmLhO9juy8SLe1VD6aAEB5vSDLGOQKB9bIZIuGHRbTwCh1CRYy3RldBCuMn SKDtBHDpCSLRiy3QfUUeFud7z5GaLoPkJ8x9Esrs3bWtt2mM6AtFmCpuiGWffXWB oBvlSpBF2QylQi8kZMqcjzQsuVEdJip/nMfbUWYrTWw4mGANXGIZiWG2ADeNKUAR uI6caEFcLAcSiRP67k8PXyuMuMVY2RWVVmetemBmJKX5ToUNNSHC+Zhw8UUQ9A99 NzGOoXc2dSXhuR9GxJs= =YUno -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/