[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Drupal Wikitools 6.x-1.2 and 5.x-1.3 XSS Vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Full details of this report are also posted at
http://www.madirish.net/?article=430

Description of Vulnerability:
- - - - -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules.  The Wikitools module
(http://drupal.org/project/wikitools) "provides some settings to get a
more wiki-like behavior. It aims to be lightweight; all features are
optional, and it provides no database tables of its own."

The Wikitools module contains a cross site scripting vulnerability
because it does not properly sanitize output of content types before
display.

Systems affected:
- - - - -----------------
Wikitools 6.x-1.2 and 5.x-1.3 were tested and shown to be vulnerable.

Impact:
- - - - -------
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.

Mitigating factors:
- - - - -------------------
The Wikitools module must be installed.  To carry out a Site map based
XSS exploit the attacker must have 'administer content type' permissions.

Proof of Concept:
- - - ---------------------
1.  Install Drupal
2.  Install Wikitools
3.  Create a new content type from Administer -> Content management ->
Content types -> Add content type
4.  Enter "<script>alert('xss');</script>" for the content type name and
save the new content type
5.  Enable the Wikitools module from Administer -> Site Building -> Modules
6.  Click on Administer -> Site configuration -> Wikitools to observe
the JavaScript

Technical details:
- - - ------------------------
The Wikitools module fails to sanitize the output of content type names
before display, leading to an arbitrary HTML injection vulnerability.

Patch for wikitools 5.x-1.3
- - ---------------------------
Applying the following patch mitigates these threats in Wikitools 5.x-1.3.

- - --- wikitools/wikitools.module  2009-03-25 15:15:47.000000000 -0400
+++ wikitools.fixed/wikitools.module    2009-10-09 12:04:03.055556867 -0400
@@ -132,7 +132,7 @@ function wikitools_admin_settings() {
   $form['wikitools_node_types'] = array(
     '#type' => 'checkboxes',
     '#title' => t('Wiki node types'),
- - -    '#options' => node_get_types('names'),
+    '#options' => array_map('filter_xss', node_get_types('names')),
     '#size' => count(node_get_types('names')),
     '#default_value' => wikitools_node_types(),
     '#multiple' => TRUE,

Patch for wikitools 6.x-1.2
- - ---------------------------
Applying the following patch mitigates these threats in Wikitools 6.x-1.2.

- - --- wikitools/wikitools.admin.inc       2009-06-17 23:57:33.000000000
- -0400
+++ wikitools/wikitools.admin.inc 2009-10-09 14:38:06.020099834 -0400
@@ -37,7 +37,7 @@ function wikitools_admin_settings() {
   $form['wikitools_node_types'] = array(
     '#type' => 'checkboxes',
     '#title' => t('Wiki node types'),
- - -    '#options' => node_get_types('names'),
+    '#options' => array_map('filter_xss', node_get_types('names')),
     '#default_value' => wikitools_node_types(),
     '#multiple' => TRUE,
     '#description' => t('Select the node types which will be affected
by the specified options. If you select multiple node types, all nodes
of these types will be searched for when a wikipath is entered. If a
wikipage doesn\'t exist, an option to create any of these types will be
given.'),

Vendor Response
- - ---------------

In the past the vendor has responded that vulnerabilities requiring
'administer content types' privileges have already been addressed by
SA-CORE-2009-002 (http://drupal.org/node/372836) and thus are not
classified as security vulnerabilities, but rather as bugs.
- --
Justin C. Klein Keane
http://www.MadIrish.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iQD1AwUBSs+SPpEpbGy7DdYAAQIBLAcAlXKFu+tQfvEGp3D4SZ+ABLyEMon0xweC
++PCNDYT1zY3/v3A/nCekV0ebTgwwP/AXjjtJULD7TlbqI1nWxIUBDn2a4CM9TWs
u8rUsFoySv5oq2g00c6uREF/8M8xdicSD5YL71C1/34iDjaltUci4OyxejHW1w/7
Nfk2dMLl1odnybgBBCZkgT1Kf1fa8wq+2CVkKkgcQGVKCcgawF0R36A6uQlwB3Bc
a7lvDdF2sBIlzskiNYitmbGMYHQUMGnQH6B1eoxajcKkGPi4CGSTaMd4UVAL/u4m
37BItJX+Wng=
=bsff
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/