Drupal Protected Node 5.x-1.3 XSS Vulnerability
The Drupal Protected Node module (http://drupal.org/project/protected_node) is designed to restrict access to nodes using passwords. When nodes are created they can be protected by selecting 'protected node' and specifying a password. Users attempting to access the node must then enter a password in order to access the node.
The Protected Node module version 5.x-1.3 fails to properly sanitize user input specified in the 'Password page info' input specified in Administer -> Site Configuration -> Protected Node. Users with the 'administer site configuration' permission can access this page.
Steps to reproduce the exploit:
- Enable the Protected Node module
- Set permissions (Administer -> User Management) so anonymous users can access protected content in the protected_node module section
- Click Administer -> Site Configuration -> Protected node
- Enter the value
<script>alert('xss');</script>into the 'Password page info' textarea
- Create a new piece of content
- In the 'Protected node' section on the content creation screen check the 'Node is protected' checkbox and enter a password.
- Save the content.
This vulnerability is introduced by a failure to sanitize user input as it is being displayed in the protected_node_enterpassword() function in protected_node.module. Lines 272-274 prints out the user supplied text using the statement:
$form['protected_node'] = array( '#value' => $info );
The $info variable should be sanitized using check_plain() or similar function in order to prevent the XSS vulnerability.