[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Drupal Service Links 6.x-1.0 XSS Vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Description of Vulnerability:
- - - -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules.  The Service links module
(http://drupal.org/project/service_links) "enables admins to add links
to a number of social bookmarking sites, blog search sites etc. "

The Service Links module contains a cross site scripting vulnerability
because it does not properly sanitize output of content type names
before display.

Systems affected:
- - - -----------------
Drupal 6.14 with Service links 6.x-1.0 was tested and shown to be
vulnerable.

Impact:
- - - -------
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.

Mitigating factors:
- - - -------------------
The Service links module must be installed.  To carry out a Service
links based XSS exploit the attacker must have 'administer content
types' permissions.

Proof of Concept:
- - ---------------------
1.  Install Drupal 6.14
2.  Install Service links 6.x-1.0
3.  Enable the Service links module from Administer -> Site building ->
Modules
4.  Create a new Content type from Administer -> Content management ->
Content types and click 'Add content type'
5.  For the 'name' field enter "<script>alert('xss');</script>" and save
the content type
6.  Click Administer -> Site configuration -> Service links to trigger
the JavaScript

Technical details:
- - ------------------------
The Service links module fails to sanitize the output of the content
type names before display.  Applying the following patch fixes this
vulnerability.

Patch
- - -------
Applying the following patch mitigates these threats.

- --- service_links/service_links.module        2008-02-26 12:01:27.000000000 
-0500
+++ service_links_fixed/service_links.module    2009-10-02
06:33:21.000000000 -0400
@@ -35,11 +35,12 @@ function service_links_admin_settings()
     '#title' => t('Where to show the service links'),
     '#description' => t('Set the node types and categories you want to
display links for.'),
   );
+  $names = array_map('filter_xss', node_get_types('names'));
   $form['where_to_show_the_links']['service_links_node_types'] = array(
     '#type' => 'checkboxes',
     '#title' => t('Node types'),
     '#default_value' => variable_get('service_links_node_types', array()),
- -    '#options' => node_get_types('names'),
+    '#options' => $names,
   );
   if (module_exists('taxonomy')) {
     $form['where_to_show_the_links']['service_links_category_types'] =
array(

- --

Justin C. Klein Keane
http://www.MadIrish.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org

iPwEAQECAAYFAkrGEWkACgkQkSlsbLsN1gBl7wb+IW9Jk9N8ewZfa4mDxj8W1AVI
jG20xNmLhO9juy8SLe1VD6aAEB5vSDLGOQKB9bIZIuGHRbTwCh1CRYy3RldBCuMn
SKDtBHDpCSLRiy3QfUUeFud7z5GaLoPkJ8x9Esrs3bWtt2mM6AtFmCpuiGWffXWB
oBvlSpBF2QylQi8kZMqcjzQsuVEdJip/nMfbUWYrTWw4mGANXGIZiWG2ADeNKUAR
uI6caEFcLAcSiRP67k8PXyuMuMVY2RWVVmetemBmJKX5ToUNNSHC+Zhw8UUQ9A99
NzGOoXc2dSXhuR9GxJs=
=YUno
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/