-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Details of this vulnerability can also be found at
http://www.madirish.net/?article=435

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules. The Site Map module
(http://drupal.org/project/site_map) "provides a site map that gives
visitors an overview of your site. It can also display the RSS feeds for
all blogs and categories."

The Site map module contains a cross site scripting vulnerability
because it does not properly sanitize output of titles before display.

Systems affected:

Drupal 6.14 with Site map 6.x-1.1 was tested and shown to be vulnerable.
Impact:

XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.

Mitigating factors:

The Site map module must be installed. To carry out a Site map based XSS
exploit the attacker must have 'administer site configuration' permissions.

Proof of Concept:

   1. Install Drupal 6.14
   2. Install Site map 6.x-1.1
   3. Enable the Site map module from Administer -> Site building -> Modules
   4. Click Administer -> Site configuration -> Site map
   5. Enter "<script>alert('xss');</script>" in the 'Site map message'
text area
   6. Enable the site map link in Administer -> Site building -> Menus
- -> Navigation by clicking the 'Enable' checkbox next to 'Site map' and
clicking the 'Save configuration' button
   7. Click on the 'Site map' link in the navigation to observe the
rendered JavaScript

Technical details:

The Site map module fails to sanitize the output of the site map message
before display. Applying the following patch fixes this vulnerability.

Patch

Applying the following patch mitigates these threats.

- --- site_map/site_map.module    2009-09-30 15:09:49.295134033 -0400
+++ site_map/site_map.module      2009-09-30 15:09:30.011119976 -0400
@@ -14,7 +14,7 @@ function site_map_help($path, $arg) {
  switch ($path) {
    case 'sitemap':
      $output = _sitemap_get_message();
- - -      return $output ? '<p>'. filter_xss($output) .'</p>' : '';
+      return $output ? '<p>'. $output .'</p>' : '';
  }
 }

- --
Justin C. Klein Keane
http://www.MadIrish.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iQD1AwUBStcwjJEpbGy7DdYAAQLv4wb+OoBt42FwHYjZ+DQwb2ljQgzHMwiGUy/o
JPVN0dTsjNOIpXz5teivOPaSMIthyB1+zHpeAojqZ1yTeYHPRjxGX8w5PrUVgBPU
gbh7YJ7we6MJV2ERfUhFOswepZOeseAZc1a5XnRgPEaTzd5IFf0x4yWzHl0M01XS
NTOxuvr8HGIxqGqmhLsljjPw8nnBFwc2pMojKRGNj6pbpkgL7hqxObhjBzepi/Eg
d30c7yTZ6Z5LgsaNPkE0OiV1JIj99SBXVLghhQ3mITouIhzSsddpDoHQXDQFwz5X
icA3Z7tgEGo=
=Q0zP
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Reply via email to