Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Drupal Protected Node Module XSS Vulnerability
From: "Justin C. Klein Keane" <justin () madirish net>
Date: Fri, 27 Feb 2009 11:15:48 -0500

Hash: SHA1

Version Tested:  5.x-1.3 on Drupal 5.15

The Drupal Protected Node module
(http://drupal.org/project/protected_node) is designed to restrict
access to nodes using passwords.  When nodes are created they can be
protected by selecting 'protected node' and specifying a password.
Users attempting to access the node must then enter a password in order
to access the node.  Details of this vulnerability can also be found at

The Protected Node module fails to properly sanitize user input
specified in the 'Password page info' input specified in Administer ->
Site Configuration -> Protected Node.  Users with the 'administer site
configuration' permission can access this page.

Steps to reproduce the exploit:

1.  Enable the Protected Node module
2.  Set permissions (Administer -> User Management) so anonymous users
can access protected content in the protected_node module section
3.  Click Administer -> Site Configuration -> Protected node
4.  Enter the value <script>alert('xss');</script> into the 'Password
page info' textarea
5.  Create a new piece of content
6.  In the 'Protected node' section on the content creation screen check
the 'Node is protected' checkbox and enter a password.
7.  Save the content.
8.  Log out and view the content to trigger the JavaScript

Technical details:

This vulnerability is introduced by a failure to sanitize user input as
it is being displayed in the protected_node_enterpassword() funciton in
protected_node.module.  Lines 272-274 prints out the user supplied text
using the statement:

$form['protected_node'] = array(
  '#value' => $info

The $info variable should be sainitized using check_plain() or similar
function in order to prevent the XSS vulnerability.

Drupal security (http://drupal.org/security) team and module maintainer
have been notified.

- --
Justin C. Klein Keane
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Drupal Protected Node Module XSS Vulnerability Justin C. Klein Keane (Feb 27)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]