Full Disclosure mailing list archives
Drupal flag module xss vulnerability
From: Justin Klein Keane <justin () madirish net>
Date: Tue, 18 Aug 2009 09:58:58 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vulnerability Summary Report Author: Justin C. Klein Keane <justin () madirish net> Disclosure URL: http://lampsecurity.org/drupal-flag-module-vulnerability Description of Vulnerability: - - ----------------------------- Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Flag module (http://drupal.org/project/flag) "is a flexible flagging system that is completely customizable by the administrator. Using this module, the site administrator can provide any number of flags for nodes, comments, or users. Some possibilities include bookmarks, marking important, friends, or flag as offensive. With extensive views integration, you can create custom lists of popular content or keep tabs on important content." The Flag module contains a cross site scripting vulnerability because it does not properly sanitize output of role names before display during flag creation. Systems affected: - - ----------------- Drupal 6.13 with Flag 6.x-1.1 was tested and shown to be vulnerable. Impact: - - ------- XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise. Mitigating factors: - - ------------------- The Flag module must be installed. To carry out a role based XSS exploit against the module the attacker must be able to inject malicious role names which requires 'administer permissions' or write access to the Drupal database. Only users with permission to 'administer flags' are affected by this vulnerability. Proof of Concept: - --------------------- 1. Install Drupal 6.13 2. Install Flag 6.x-1.1 3. Enable the Flag and Flag actions modules from Administer -> Site building -> Modules 4. Click the Administer -> User Management -> Roles link 5. Enter "<script>alert('xss');</script>" in the 'Name' textarea and click the 'Add role' button 6. (Note that this triggers a XSS, a vulnerability in 6.13 core) 7. Click Administer -> Site Building -> Flags 8. Click the 'Add' tab 9. Fill in an arbitrary 'Flag name' and click the 'Submit' button 10. Observe the JavaScript alert Technical details: - ------------------------ The Flag module fails to sanitize role names on line 708 of flag.views.inc before display. Vendor Response: - ----------------- It is the position of Drupal security that "'administer permissions' allows arbitrary permission escalation already, so [...] we do not consider it a security vulnerability." Patch - ------- Applying the following patch mitigates these threats. diff -up flag/flag.module flag_fixed/flag.module - --- flag/flag.module 2009-03-14 02:13:54.000000000 -0400 +++ flag_fixed/flag.module 2009-08-18 09:23:37.404047187 -0400 @@ -702,10 +702,11 @@ function flag_form(&$form_state, $name, $form['roles']['#value'] = $flag->roles; } + $options = array_map('check_plain', node_get_types('names')); $form['types'] = array( '#type' => 'checkboxes', '#title' => t('What nodes this flag may be used on'), - - '#options' => node_get_types('names'), + '#options' => $options, '#default_value' => $flag->types, '#description' => t('Check any node types that this flag may be used on. You must check at least one node type.'), '#required' => TRUE, - -- Justin C. Klein Keane http://www.MadIrish.net http://www.LAMPSecurity.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iQD1AwUBSoqzopEpbGy7DdYAAQJxDQb/eXDs65vUYUoBmK6dd+wueewHPfHIeAQ/ qe8g8IlrfYOFEHalkWmTSt9tLh6WLstjLXilXrSChWoBEfx3dL/qDkVsI++lFOsi Z5X9WGhZEJUXw/NGA/ltmtxE0EsFuCHLvuUFyXvG2EdAR7UsRPpmkCAqYC4M16mz C5EGdWwPrQCQjbViKX3jURHLwlaTMyckNE3yyMbcfM2CDuS1AZXUC/BwbMoKrCkH Z6coe0gDbV6Y60FPv+PCj2R+CZKzmE0cODdU4iwXx1gxDcx9AxVedZxbKitEi3Hl mHEMJ+w80GQ= =M2Ce -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Drupal flag module xss vulnerability Justin Klein Keane (Aug 18)