Full Disclosure mailing list archives
Re: Drupal XML Sitemap 6.x-1.1 XSS Vulnerability
From: Justin Klein Keane <justin () madirish net>
Date: Fri, 16 Oct 2009 08:29:40 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dave Reid of Drupal security correctly pointed out to me that this vulnerability is for "Sitemap" module, not "XML Sitemap" as specified in the subject line. There are just so many that I lose track sometimes... Props to Dave for spotting my error and apologies for any confusion. Justin C. Klein Keane http://www.MadIrish.net Justin Klein Keane wrote:
Details of this vulnerability can also be found at http://www.madirish.net/?article=435 Description of Vulnerability: Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Site Map module (http://drupal.org/project/site_map) "provides a site map that gives visitors an overview of your site. It can also display the RSS feeds for all blogs and categories." The Site map module contains a cross site scripting vulnerability because it does not properly sanitize output of titles before display. Systems affected: Drupal 6.14 with Site map 6.x-1.1 was tested and shown to be vulnerable. Impact: XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise. Mitigating factors: The Site map module must be installed. To carry out a Site map based XSS exploit the attacker must have 'administer site configuration' permissions. Proof of Concept: 1. Install Drupal 6.14 2. Install Site map 6.x-1.1 3. Enable the Site map module from Administer -> Site building -> Modules 4. Click Administer -> Site configuration -> Site map 5. Enter "<script>alert('xss');</script>" in the 'Site map message' text area 6. Enable the site map link in Administer -> Site building -> Menus -> Navigation by clicking the 'Enable' checkbox next to 'Site map' and clicking the 'Save configuration' button 7. Click on the 'Site map' link in the navigation to observe the rendered JavaScript Technical details: The Site map module fails to sanitize the output of the site map message before display. Applying the following patch fixes this vulnerability. Patch Applying the following patch mitigates these threats. --- site_map/site_map.module 2009-09-30 15:09:49.295134033 -0400 +++ site_map/site_map.module 2009-09-30 15:09:30.011119976 -0400 @@ -14,7 +14,7 @@ function site_map_help($path, $arg) { switch ($path) { case 'sitemap': $output = _sitemap_get_message(); - - return $output ? '<p>'. filter_xss($output) .'</p>' : ''; + return $output ? '<p>'. $output .'</p>' : ''; } }
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iQD1AwUBSthnM5EpbGy7DdYAAQI8DwcAgwYEIG/7iuccRew6/Y5gg3Nu1yHBX0A2 /Qi4xItTgh47V1Gbe/lfxeFJavyV4ofXXxfOdnvoK1v9+GFetqDnL8o5836tN8ov Xy4k7J+zcGz0iOH+eJggIFn6AfK+NpRlFaghYpEFnnHdaS9iTUzqi0hIaDlyDypT 9p9+ClsvHbv1jlmG+MhkNXtThAkAzxw3ZH3CNRbXEqbSK+LOknzsgPRBIdQvjK+z aJp6kCB6GV2M8KeglHYCSzDQNag2GZBzALGQXaDiR8poXutxzP0egzeBmeQ0PZjx qTDjFUuJrFY= =lSK5 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Drupal XML Sitemap 6.x-1.1 XSS Vulnerability Justin Klein Keane (Oct 15)
- Re: Drupal XML Sitemap 6.x-1.1 XSS Vulnerability Andrew Farmer (Oct 15)
- Re: Drupal XML Sitemap 6.x-1.1 XSS Vulnerability Jan G.B. (Oct 16)
- Re: Drupal XML Sitemap 6.x-1.1 XSS Vulnerability Justin Klein Keane (Oct 16)