-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules. The CCK module (http://drupal.org/project/cck)
"allows you to add custom fields to nodes using a web browser."
The CCK module version 5.x-1.10 contains a cross site scripting
vulnerability because it does not properly sanitize output of group
labels before display.
Systems affected:
- - - - -----------------
Drupal 5.19 with CCK 5.x-1.10 was tested and shown to be vulnerable.
Impact:
- - - - -------
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.
Mitigating factors:
- - - - -------------------
The CCK module must be installed. To carry out a CCK based XSS exploit
the attacker must have 'administer content types' permission.
Proof of Concept:
- - - ---------------------
1. Install Drupal 5
2. Install CCK 5.x-1.10
3. Enable the CCK module from Administer -> Site building -> Modules
and enable all CCK modules
4. From Administer -> Content management -> Content types and click the
'edit' link next to the 'Page' content type
5. Click the 'Add group' tab at the top
6. Enter "<script>alert('xss');</script>" as the label and save the
group by clicking the 'Add' button at the bottom of the form
7. On form submission you ill be redirected to
/?q=admin/content/types/page/fields and the JavaScript will be rendered
and execute three times.
Technical details:
- - - ------------------------
The CCK module fails to sanitize the output of the CCK group label
before display on lines 248 and 285 of content_admin.inc. Applying the
following patch fixes this vulnerability.
Patch
- - - -------
Applying the following patch mitigates these threats.
$ diff -up cck/content_admin.inc cck_fixed/content_admin.inc
- - --- cck/content_admin.inc 2008-09-03 09:45:05.000000000 -0400
+++ cck_fixed/content_admin.inc 2009-10-01 15:35:04.364195774 -0400
@@ -245,7 +245,7 @@ function theme_content_admin_field_overv
$row[] = drupal_render($form['field-groups'][$fname]);
break;
default:
- - - $row[] = array('data' => $cell, 'class' => $class);
+ $row[] = array('data' => filter_xss($cell), 'class' =>
$class);
}
}
@@ -282,7 +282,7 @@ function theme_content_admin_field_overv
// add the group row in its own table above the group
fields table, then reset $row().
$fieldset = array(
- - - '#title' => t('!label (!name)', array('!label' =>
$form['#group_labels'][$fname], '!name' => $fname)),
+ '#title' => t('!label (!name)', array('!label' =>
filter_xss($form['#group_labels'][$fname]), '!name' => $fname)),
'#collapsible' => TRUE,
'#collapsed' => FALSE,
'#value' => theme('table', array(), array(array('data' =>
$row, 'class' => 'content-field-overview-group'))) . theme('table',
$header, $grows),
Vendor Response
- ---------------
Vendor replies that because the vulnerability requires "administer
content types" privilege to exploit, they will not release a security
announcement.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org
iPwEAQECAAYFAkrFbIUACgkQkSlsbLsN1gD9uAcAkpzYFoh1Z+cE6VQlAuuHRYtT
yF/PlmeWdrosXEVGe7ELJw5tv1EbbopeUlIU3D9tH0tftU4Jt1ptTR8j7WMBPQ9E
DeY3wDawxlrkeKmtLtyP9Wq3nZmJARb4518Cx0hMoyt4SIVWpJvgk6AenumpEKO2
DHyTCVyQ7EEWmui1L4eDIIJz4JG4JMJxRK/VZkZhg0ikVIfpE8YP1OvhJjpYo1v5
dH/RP/5sks3Lj9I4zHE1XImeLQRsgBvSPC8PmrPJ+D4g8T1Uw8zkGfYCUhrCFeFC
1OttfJI6m/J4tWxwTPE=
=aG9O
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
