Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Drupal 6.15 (core) Profile Module XSS Vulnerability
From: "Justin C. Klein Keane" <justin () madirish net>
Date: Wed, 03 Mar 2010 15:09:35 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Details of this disclosure have been posted at
http://www.madirish.net/?article=450

NB:
- -----
This vulnerability was publicly described in Drupal 7
(http://drupal.org/node/611532).  Furthermore the Drupal security
guidelines state that vulnerabilities that require 'Administer users' do
not require a security announcement (http://drupal.org/node/475848).
Thus, this report serves only to call out the vulnerability in Drupal 6.

Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through hundreds of
third party modules.  The profile module is provided as part of the
Drupal 6 core modules and contains several arbitrary script injection
vulnerabilities that can allow users with the 'administer users'
permission to inject scripts into category names and explanations.

Systems affected:
- -----------------
Drupal 6.15 was tested and shown to be vulnerable

Mitigating factors:
- -------------------
Attacker must have 'administer users' and 'access administration pages"
permissions in order to exploit this vulnerability.

Proof of concept:
- -----------------
1.  Install Drupal 6.15.
2.  Enable the profile module from Administer -> Site building -> Modules
3.  Go to Administer -> User management -> Profiles and click on
'single-line textfield'
4.  Enter "<script>alert('xss1');</script>" for Category
5.  Enter "<script>alert('xss2');</script>" for Explanation
6.  Fill in arbitrary values for other fields and click 'Save field' button
7.  Observe the category XSS on the resulting page
8.  Click Administer -> Users, and select a user and click the 'Edit' link
9.  Click the "<script>alert('xss1');</script>" tab at the top of the form
10. Observe the second XSS on the resulting page.

Drupal 6 Patch
- --------------
Applying the following patch mitigates these threats.

- --- drupal-6.15/modules/profile/profile.admin.inc     2008-10-16
08:43:08.000000000 -0400
+++ drupal-6.15.patched/modules/profile/profile.admin.inc       2010-03-03
14:33:44.740024567 -0500
@@ -25,7 +25,7 @@ function profile_admin_overview() {
     $form[$field->fid]['name'] = array('#value' =>
check_plain($field->name));
     $form[$field->fid]['title'] = array('#value' =>
check_plain($field->title));
     $form[$field->fid]['type'] = array('#value' => $field->type);
- -    $form[$field->fid]['category'] = array('#type' => 'select',
'#default_value' => $field->category, '#options' => array());
+    $form[$field->fid]['category'] = array('#type' => 'select',
'#default_value' => check_plain($field->category), '#options' => array());
     $form[$field->fid]['weight'] = array('#type' => 'weight',
'#default_value' => $field->weight);
     $form[$field->fid]['edit'] = array('#value' => l(t('edit'),
"admin/user/profile/edit/$field->fid"));
     $form[$field->fid]['delete'] = array('#value' => l(t('delete'),
"admin/user/profile/delete/$field->fid"));
diff -up drupal-6.15.new/modules/profile/profile.module
drupal-6.15.clean/modules/profile/profile.module
- --- drupal-6.15.new/modules/profile/profile.module    2009-01-12
05:09:19.000000000 -0500
+++ drupal-6.15.clean/modules/profile/profile.module    2010-03-03
14:32:54.749038065 -0500
@@ -341,7 +341,7 @@ function _profile_form_explanation($fiel
     $output .= ' '. t('The content of this field is kept private and
will not be shown publicly.');
   }

- -  return $output;
+  return check_plain($output);
 }

 function profile_form_profile($edit, $user, $category, $register = FALSE) {

- -- 
Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkuOwf8ACgkQkSlsbLsN1gDDNwb8DxT9tIGOM0pxme6uadYY+j/q
26aHqh2T4mUVDsUzM6egQvGrCqQaUpagjb6b+lhZsmCvbv30Fo7l+4DXCjrKeZS9
Y2yMuY5xks3bMKtWpbiFfH8V1wb46maWH5h2d4rg6d1sbv6ZREF7lDKhMxkkMmGn
7ZHJl6bbUbgUxLIKfazxz7Gsq3CHNZrfMz3wp2tNMKeafdNG2dd5T0KJT6wlN8+G
lbNsLj11U08gzhvq9jRjGUWjK9q9LZeOmBELnYBc8cNOsVeAHD4KPC/H81tCIn9i
mf1cvmm0gh2/7akbF40=
=mqfE
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Drupal 6.15 (core) Profile Module XSS Vulnerability Justin C. Klein Keane (Mar 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault