Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Drupal Answers Module Contains XSS Vulnerability
From: Justin Klein Keane <justin () madirish net>
Date: Fri, 12 Sep 2008 09:56:26 -0400

Hash: SHA1

* Date: Sept 12, 2008
* Security risk: medium
* Exploitable from: Remote
* Vulnerability: Cross site scripting


Drupal is a robust content management system (CMS) that provides
extensibility through hundreds of third party modules.  While the
security of Drupal core modules is vetted by a central security team,
third party modules are not reviewed for security.

The Answers module (http://drupal.org/project/answers), created by
"Drupal experts" TickleSpace (http://ticklespace.com/) is designed to
allow users to create "quests" in the form of questions.  Users are then
allowed to post answers to these quests.  However, the answers submitted
by users are not properly sanitized, leading to cross site scripting
vulnerabilities.  When a user posts a Simple Answer, using the link
provided in nodes that are questions, the data entered in the "Answer:"
text area is not sanitized for display.  Users can enter malicious
javascript or other data.  In a default configuration this data is then
rendered on the front page of the Drupal installation, subjecting users
to a cross site scripting attack.

Vulnerable Versions

5.x-1.x-dev, dated 2008-May-22 was tested and shown vulnerable.

Testing for Vulnerability

Entering a value of "<script>alert('foo');</script>" as an answer will
cause an alert box with the text "foo" to appear whenever the answer is


Depending on configuration, this vulnerability allows unauthenticated
users to remotely inject malicious content that could be displayed to
all web site users.  Such content could include links to malware that
could lead to possible system compromise.

Determining Version

The answers.info page for vulnerable versions displays the following

; $Id: answers.info,v 1.1 2008/01/09 05:12:23 amanuel Exp $
name = Questions
description =  Allows users track their questions.
package = "Answers"

; Information added by drupal.org packaging script on 2008-05-22
version = "5.x-1.x-dev"
project = "answers"
datestamp = "1211414452"

Determining version information on Drupal sites is trivial in many cases
(ref http://www.madirish.net/?article=214).

Vendor Response

The module developer has not responded to contact attempts.

- --
Mad Irish
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Drupal Answers Module Contains XSS Vulnerability Justin Klein Keane (Sep 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]