Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Drupal 6 Date/Calendar XSS Vulnerability
From: Justin Klein Keane <justin () madirish net>
Date: Fri, 24 Jul 2009 09:21:49 -0400

Hash: SHA1

Vulnerability Report

Date of Original Vendor Contact:  May 19, 2009 11:45 GMT -0400
Report Number:  8890
Author: Justin C. Klein Keane <justin () madirish net>
Details of this vulnerability are also posted at the public URL

Description of Vulnerability
- --------------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules.  The Date and Calendar modules
(http://drupal.org/project/date, http://drupal.org/project/calendar)
provides functionality for constructing views based on dates for
calendar type displays.  The Calendar module suffers from a cross site
scripting (XSS) vulnerability due to the fact that it does not properly
sanitize names during display.

Systems affected:
- -----------------
Drupal 6.12 with Date 6.x-2.2, Calendar 6.x-2.1 and Views 6.x-2.6 was
tested and shown to be vulnerable

- ------
Authenticated users can exploit this vulnerability to escalate privilege
and take control of the web server process.

Mitigating factors:
- -------------------
Attacker must have 'use date tools' permissions in order to exploit this
vulnerability.  Permissions to 'administer views' are required to be
affected by the XSS (otherwise injected code results on pages to which
the user is denied access).

Proof of concept:
- -----------------
1.  Install Drupal 6.12.
2.  Install Views, Date, and Calendar and enable all functionality
through Administer -> Modules
3.  Click Administer -> Content management -> Date Tools
4.  Click 'Date wizard' to create a new content type
5.  Enter "<script>alert('xss');</script> in the "Content type label"
6.  Enter arbitrary data in other fields
7.  Click 'save' to view JavaScript alert

Alternatively this XSS can also be triggered by viewing content type:
1.  Click Administer -> Content management -> Date tools
2.  Click the 'calendar_date' link next to the new content type
3.  Observe JavaScript alert

Alternatively this XSS can also be triggered by editing the new view
from Administer -> Site building -> Views and clicking 'Edit' next to
the new 'calendar_date' view.

- -----------
05-19-09 Drupal security notified of vulnerability
05-21-09 Drupal security acknowledges vulnerability, advises June 3 fix
06-02-09 Drupal security advises module maintainer asks for extension,
advise June 10 fix
06-10-09 Drupal security advises revised fix schedule
07-23-09 ORIGINATOR advises over a month has passed without update and
that disclosure will be made within 24 hours unless circumstances have
changed.  ORIGINATOR receives no response.
07-24-09 Public disclosure

- ------
In order to mitigate this vulnerability apply the following patch:

- --- calendar/includes/calendar_plugin_display_page.inc  2009-01-10
15:04:17.000000000 -0500
+++ calendar/includes/calendar_plugin_display_page.inc  2009-07-24
08:55:23.234846590 -0400
@@ -107,7 +107,7 @@ class calendar_plugin_display_page exten
     $options['calendar_date_link'] = array(
       'category' => 'calendar_settings',
       'title' => t('Add new date link'),
- -      'value' => !empty($default) ? node_get_types('name', $default)
: '',
+      'value' => !empty($default) ? check_plain(node_get_types('name',
$default)) : '',


- --
Justin C. Klein Keane
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Drupal 6 Date/Calendar XSS Vulnerability Justin Klein Keane (Jul 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]