mailing list archives
Drupal Answers Module Contains XSS Vulnerability
From: Justin Klein Keane <justin () madirish net>
Date: Fri, 12 Sep 2008 09:56:26 -0400
-----BEGIN PGP SIGNED MESSAGE-----
* Date: Sept 12, 2008
* Security risk: medium
* Exploitable from: Remote
* Vulnerability: Cross site scripting
Drupal is a robust content management system (CMS) that provides
extensibility through hundreds of third party modules. While the
security of Drupal core modules is vetted by a central security team,
third party modules are not reviewed for security.
The Answers module (http://drupal.org/project/answers), created by
"Drupal experts" TickleSpace (http://ticklespace.com/) is designed to
allow users to create "quests" in the form of questions. Users are then
allowed to post answers to these quests. However, the answers submitted
by users are not properly sanitized, leading to cross site scripting
vulnerabilities. When a user posts a Simple Answer, using the link
provided in nodes that are questions, the data entered in the "Answer:"
text area is not sanitized for display. Users can enter malicious
rendered on the front page of the Drupal installation, subjecting users
to a cross site scripting attack.
5.x-1.x-dev, dated 2008-May-22 was tested and shown vulnerable.
Testing for Vulnerability
Entering a value of "<script>alert('foo');</script>" as an answer will
cause an alert box with the text "foo" to appear whenever the answer is
Depending on configuration, this vulnerability allows unauthenticated
users to remotely inject malicious content that could be displayed to
all web site users. Such content could include links to malware that
could lead to possible system compromise.
The answers.info page for vulnerable versions displays the following
; $Id: answers.info,v 1.1 2008/01/09 05:12:23 amanuel Exp $
name = Questions
description = Allows users track their questions.
package = "Answers"
; Information added by drupal.org packaging script on 2008-05-22
version = "5.x-1.x-dev"
project = "answers"
datestamp = "1211414452"
Determining version information on Drupal sites is trivial in many cases
The module developer has not responded to contact attempts.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Drupal Answers Module Contains XSS Vulnerability Justin Klein Keane (Sep 12)