[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Drupal XML Sitemap 6.x-1.1 XSS Vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave Reid of Drupal security correctly pointed out to me that this
vulnerability is for "Sitemap" module, not "XML Sitemap" as specified in
the subject line.  There are just so many that I lose track sometimes...
 Props to Dave for spotting my error and apologies for any confusion.

Justin C. Klein Keane
http://www.MadIrish.net


Justin Klein Keane wrote:
> Details of this vulnerability can also be found at
> http://www.madirish.net/?article=435
> 
> Description of Vulnerability:
> 
> Drupal (http://drupal.org) is a robust content management system (CMS)
> written in PHP and MySQL that provides extensibility through various
> third party modules. The Site Map module
> (http://drupal.org/project/site_map) "provides a site map that gives
> visitors an overview of your site. It can also display the RSS feeds for
> all blogs and categories."
> 
> The Site map module contains a cross site scripting vulnerability
> because it does not properly sanitize output of titles before display.
> 
> Systems affected:
> 
> Drupal 6.14 with Site map 6.x-1.1 was tested and shown to be vulnerable.
> Impact:
> 
> XSS vulnerabilities may expose site administrative accounts to
> compromise which could lead to web server process compromise.
> 
> Mitigating factors:
> 
> The Site map module must be installed. To carry out a Site map based XSS
> exploit the attacker must have 'administer site configuration' permissions.
> 
> Proof of Concept:
> 
>    1. Install Drupal 6.14
>    2. Install Site map 6.x-1.1
>    3. Enable the Site map module from Administer -> Site building -> Modules
>    4. Click Administer -> Site configuration -> Site map
>    5. Enter "<script>alert('xss');</script>" in the 'Site map message'
> text area
>    6. Enable the site map link in Administer -> Site building -> Menus
> -> Navigation by clicking the 'Enable' checkbox next to 'Site map' and
> clicking the 'Save configuration' button
>    7. Click on the 'Site map' link in the navigation to observe the
> rendered JavaScript
> 
> Technical details:
> 
> The Site map module fails to sanitize the output of the site map message
> before display. Applying the following patch fixes this vulnerability.
> 
> Patch
> 
> Applying the following patch mitigates these threats.
> 
> --- site_map/site_map.module    2009-09-30 15:09:49.295134033 -0400
> +++ site_map/site_map.module      2009-09-30 15:09:30.011119976 -0400
> @@ -14,7 +14,7 @@ function site_map_help($path, $arg) {
>   switch ($path) {
>     case 'sitemap':
>       $output = _sitemap_get_message();
> - -      return $output ? '<p>'. filter_xss($output) .'</p>' : '';
> +      return $output ? '<p>'. $output .'</p>' : '';
>   }
>  }
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iQD1AwUBSthnM5EpbGy7DdYAAQI8DwcAgwYEIG/7iuccRew6/Y5gg3Nu1yHBX0A2
/Qi4xItTgh47V1Gbe/lfxeFJavyV4ofXXxfOdnvoK1v9+GFetqDnL8o5836tN8ov
Xy4k7J+zcGz0iOH+eJggIFn6AfK+NpRlFaghYpEFnnHdaS9iTUzqi0hIaDlyDypT
9p9+ClsvHbv1jlmG+MhkNXtThAkAzxw3ZH3CNRbXEqbSK+LOknzsgPRBIdQvjK+z
aJp6kCB6GV2M8KeglHYCSzDQNag2GZBzALGQXaDiR8poXutxzP0egzeBmeQ0PZjx
qTDjFUuJrFY=
=lSK5
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/