[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Drupal flag module xss vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vulnerability Summary Report

Author: Justin C. Klein Keane <justin@xxxxxxxxxxxx>
Disclosure URL:
http://lampsecurity.org/drupal-flag-module-vulnerability

Description of Vulnerability:
- - -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules.  The Flag module (http://drupal.org/project/flag)
"is a flexible flagging system that is completely customizable by the
administrator. Using this module, the site administrator can provide any
number of flags for nodes, comments, or users. Some possibilities
include bookmarks, marking important, friends, or flag as offensive.
With extensive views integration, you can create custom lists of popular
content or keep tabs on important content."

The Flag module contains a cross site scripting vulnerability because it
does not properly sanitize output of role names before display during
flag creation.

Systems affected:
- - -----------------
Drupal 6.13 with Flag 6.x-1.1 was tested and shown to be vulnerable.

Impact:
- - -------
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.

Mitigating factors:
- - -------------------
The Flag module must be installed.  To carry out a role based XSS
exploit against the module the attacker must be able to inject malicious
role names which requires 'administer permissions' or write access to
the Drupal database.  Only users with permission to 'administer flags'
are affected by this vulnerability.

Proof of Concept:
- ---------------------
1.  Install Drupal 6.13
2.  Install Flag 6.x-1.1
3.  Enable the Flag and Flag actions modules from Administer -> Site
building -> Modules
4.  Click the Administer -> User Management -> Roles link
5.  Enter "<script>alert('xss');</script>" in the 'Name' textarea and
click the 'Add role' button
6.  (Note that this triggers a XSS, a vulnerability in 6.13 core)
7.  Click Administer -> Site Building -> Flags
8.  Click the 'Add' tab
9.  Fill in an arbitrary 'Flag name' and click the 'Submit' button
10.  Observe the JavaScript alert


Technical details:
- ------------------------
The Flag module fails to sanitize role names on line 708 of
flag.views.inc before display.

Vendor Response:
- -----------------
It is the position of Drupal security that "'administer permissions'
allows arbitrary permission escalation already, so [...] we do not
consider it a security vulnerability."

Patch
- -------
Applying the following patch mitigates these threats.

diff -up flag/flag.module flag_fixed/flag.module
- --- flag/flag.module    2009-03-14 02:13:54.000000000 -0400
+++ flag_fixed/flag.module      2009-08-18 09:23:37.404047187 -0400
@@ -702,10 +702,11 @@ function flag_form(&$form_state, $name,
     $form['roles']['#value'] = $flag->roles;
   }

+  $options = array_map('check_plain', node_get_types('names'));
   $form['types'] = array(
     '#type' => 'checkboxes',
     '#title' => t('What nodes this flag may be used on'),
- -    '#options' => node_get_types('names'),
+    '#options' => $options,
     '#default_value' => $flag->types,
     '#description' => t('Check any node types that this flag may be
used on. You must check at least one node type.'),
     '#required' => TRUE,

- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iQD1AwUBSoqzopEpbGy7DdYAAQJxDQb/eXDs65vUYUoBmK6dd+wueewHPfHIeAQ/
qe8g8IlrfYOFEHalkWmTSt9tLh6WLstjLXilXrSChWoBEfx3dL/qDkVsI++lFOsi
Z5X9WGhZEJUXw/NGA/ltmtxE0EsFuCHLvuUFyXvG2EdAR7UsRPpmkCAqYC4M16mz
C5EGdWwPrQCQjbViKX3jURHLwlaTMyckNE3yyMbcfM2CDuS1AZXUC/BwbMoKrCkH
Z6coe0gDbV6Y60FPv+PCj2R+CZKzmE0cODdU4iwXx1gxDcx9AxVedZxbKitEi3Hl
mHEMJ+w80GQ=
=M2Ce
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/