-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Details of this vulnerability can also be found at http://www.madirish.net/?article=435
Description of Vulnerability: Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Site Map module (http://drupal.org/project/site_map) "provides a site map that gives visitors an overview of your site. It can also display the RSS feeds for all blogs and categories." The Site map module contains a cross site scripting vulnerability because it does not properly sanitize output of titles before display. Systems affected: Drupal 6.14 with Site map 6.x-1.1 was tested and shown to be vulnerable. Impact: XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise. Mitigating factors: The Site map module must be installed. To carry out a Site map based XSS exploit the attacker must have 'administer site configuration' permissions. Proof of Concept: 1. Install Drupal 6.14 2. Install Site map 6.x-1.1 3. Enable the Site map module from Administer -> Site building -> Modules 4. Click Administer -> Site configuration -> Site map 5. Enter "<script>alert('xss');</script>" in the 'Site map message' text area 6. Enable the site map link in Administer -> Site building -> Menus - -> Navigation by clicking the 'Enable' checkbox next to 'Site map' and clicking the 'Save configuration' button 7. Click on the 'Site map' link in the navigation to observe the rendered JavaScript Technical details: The Site map module fails to sanitize the output of the site map message before display. Applying the following patch fixes this vulnerability. Patch Applying the following patch mitigates these threats. - --- site_map/site_map.module 2009-09-30 15:09:49.295134033 -0400 +++ site_map/site_map.module 2009-09-30 15:09:30.011119976 -0400 @@ -14,7 +14,7 @@ function site_map_help($path, $arg) { switch ($path) { case 'sitemap': $output = _sitemap_get_message(); - - - return $output ? '<p>'. filter_xss($output) .'</p>' : ''; + return $output ? '<p>'. $output .'</p>' : ''; } } - -- Justin C. Klein Keane http://www.MadIrish.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iQD1AwUBStcwjJEpbGy7DdYAAQLv4wb+OoBt42FwHYjZ+DQwb2ljQgzHMwiGUy/o JPVN0dTsjNOIpXz5teivOPaSMIthyB1+zHpeAojqZ1yTeYHPRjxGX8w5PrUVgBPU gbh7YJ7we6MJV2ERfUhFOswepZOeseAZc1a5XnRgPEaTzd5IFf0x4yWzHl0M01XS NTOxuvr8HGIxqGqmhLsljjPw8nnBFwc2pMojKRGNj6pbpkgL7hqxObhjBzepi/Eg d30c7yTZ6Z5LgsaNPkE0OiV1JIj99SBXVLghhQ3mITouIhzSsddpDoHQXDQFwz5X icA3Z7tgEGo= =Q0zP -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
