Drupal Protected Node 5.x-1.3 XSS Vulnerability

30 November -0001

The Drupal Protected Node module (http://drupal.org/project/protected_node) is designed to restrict access to nodes using passwords. When nodes are created they can be protected by selecting 'protected node' and specifying a password. Users attempting to access the node must then enter a password in order to access the node.

The Protected Node module version 5.x-1.3 fails to properly sanitize user input specified in the 'Password page info' input specified in Administer -> Site Configuration -> Protected Node. Users with the 'administer site configuration' permission can access this page.

Steps to reproduce the exploit:

  1. Enable the Protected Node module
  2. Set permissions (Administer -> User Management) so anonymous users can access protected content in the protected_node module section
  3. Click Administer -> Site Configuration -> Protected node
  4. Enter the value <script>alert('xss');</script> into the 'Password page info' textarea
  5. Create a new piece of content
  6. In the 'Protected node' section on the content creation screen check the 'Node is protected' checkbox and enter a password.
  7. Save the content.
  8. Log out and view the content to trigger the JavaScript

Technical details:

This vulnerability is introduced by a failure to sanitize user input as it is being displayed in the protected_node_enterpassword() function in protected_node.module. Lines 272-274 prints out the user supplied text using the statement:

$form['protected_node'] = array(
  '#value' => $info
);

The $info variable should be sanitized using check_plain() or similar function in order to prevent the XSS vulnerability.