[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Drupal 6 Email Field XSS Vulnerability

To: Full Disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Drupal 6 Email Field XSS Vulnerability
From: Justin Klein Keane <justin@xxxxxxxxxxxx>
Date: Mon, 08 Jun 2009 15:15:28 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vulnerability Summary Report

Author: Justin C. Klein Keane <justin@xxxxxxxxxxxx>
Vendor Response: See below

Details of this vulnerability are also posted at the public URL
http://lampsecurity.org/drupal-6-email-field-xss-vulnerability

Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules. The Email Field module
(http://drupal.org/project/email) is a module that extends the Content
Construction Kit (CCK) module (http://drupal.org/project/cck).  It
allows for a CCK field type for e-mail.

The Email Field module contains a cross site scripting vulnerability due
to the fact that it fails to sanitize help text entered by users during
content type configuration.

Systems affected:
- -----------------
Drupal 6.12 with Email Field 6.x-1.1 was tested and shown to be vulnerable.

Impact:
- -------
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise. SQL
injection attack can manipulate the Drupal database, compromising data,
exposing credentials, and could allow injection of XSS attacks in node
content.

Mitigating factors:
- -------------------
The CCK and Email Field modules must be installed must be installed.  To
carry out the proof of concept below the attacker must authenticate as a
user with 'administer content type' permissions.  Other attack vectors
may exist.

Proof of Concept:
- -----------------
1.  Install the CCK and Email field modules
1.  Log in as a user with 'Administer content types' privilege
2.  Click Administer -> Content Types
3.  Click 'Add a new content type' link
4.  Fill in arbitrary values
5.  Click 'Save content type' button
6.  Click 'manage fields' under the Operations column on the 'Administer' ->
'Content management' screen for the new content type
7.  Fill in a new field label and field name
8.  Select 'Email' for the type of data to story
9.  Click the 'Save' button
10. In the "Help text:" field enter "<script>alert('xss');</script>"
11. Click the 'Save field settings' button
12. Click the 'Configure' link next to the new 'Email' type
13. Observe JavaScript alert

- -or-

12. Click 'Create content' link
13. Click link for newly created type
14. Observe JavaScript alert

Vendor Response
- ---------------
Drupal security has consistently pointed to
http://drupal.org/node/372836 in response to vulnerabilities that
require 'Administer Content Type' permissions

Follow up
- ---------
The following patch was submitted to the module maintainer and should
mitigate the vulnerability (Ref: http://drupal.org/node/485492):

- --- email/email.module        2008-08-12 04:12:02.000000000 -0400
+++ email_fixed/email.module    2009-06-08 15:03:40.000000000 -0400
@@ -221,7 +221,7 @@ function email_textfield_process($elemen
   $element[$field_key] = array(
     '#type' => 'textfield',
     '#title' => t($field['widget']['label']),
- -    '#description' => t($field['widget']['description']),
+    '#description' => check_plain(t($field['widget']['description'])),
     '#required' => $element['#required'],
     '#maxlength' => 255,
     '#size' => !empty($field['widget']['size']) ?
$field['widget']['size'] : 60,

- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iPwEAQECAAYFAkotY1AACgkQkSlsbLsN1gB2RQcAqXaLO4AcpgXGsQcJi2QnGVDc
A6eF3Bv2fu+YoMqpECsf4QjU8wimiwmlm3cOBtJOLpymwiL4Pg2it+muRfYbNcLq
gS9+CCHjpTtYOygEBpy4d/mCxKxA8BfFQoEjixTvK57T05MxVevGgMjvFkblk6VZ
RwUQn5YnA61NSx4HUz7E2zvK0ftT0T0HxwaKkCiccoA896dGDmByBk/bplQ1C+BM
dAtco6G3MhT615k2c1T0TzxXx23+Yw5bLbmsXU1ptDbOhI1CjkAWxM+ZfCy4VB6C
GGyK+UqW/h8udPjyTXE=
=XKXQ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Astalavista.com Exposed
Next by Date: Re: [Full-disclosure] Astalavista.com Exposed
Previous by thread: [Full-disclosure] [SECURITY] [DSA 1813-1] New evolution-data-server packages fix several vulnerabilities
Next by thread: [Full-disclosure] [USN-783-1] eCryptfs vulnerability
Index(es):
- Date
- Thread