Open source software security

Drupal CCK 5.x-1.10 XSS Vulnerability

30 November -0001

Description of Vulnerability:

Drupal ( is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The CCK module ( "allows you to add custom fields to nodes using a web browser."

The CCK module version 5.x-1.10 contains a cross site scripting vulnerability because it does not properly sanitize output of group labels before display.

Systems affected:

Drupal 5.19 with CCK 5.x-1.10 was tested and shown to be vulnerable.


XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.

Mitigating factors:

The CCK module must be installed. To carry out a CCK based XSS exploit the attacker must have 'administer content types' permission.

Proof of Concept:

  1. Install Drupal 5
  2. Install CCK 5.x-1.10
  3. Enable the CCK module from Administer -> Site building -> Modules and enable all CCK modules
  4. From Administer -> Content management -> Content types and click the 'edit' link next to the 'Page' content type
  5. Click the 'Add group' tab at the top
  6. Enter <script>alert('xss');</script> as the label and save the group by clicking the 'Add' button at the bottom of the form
  7. On form submission you ill be redirected to /?q=admin/content/types/page/fields and the JavaScript will be rendered and execute three times.

Technical details:

The CCK module fails to sanitize the output of the CCK group label before display on lines 248 and 285 of Applying the following patch fixes this vulnerability.


Applying the following patch mitigates these threats.

$ diff -up cck/ cck_fixed/ 
--- cck/       2008-09-03 09:45:05.000000000 -0400
+++ cck_fixed/ 2009-10-01 15:35:04.364195774 -0400
@@ -245,7 +245,7 @@ function theme_content_admin_field_overv
               $row[] = drupal_render($form['field-groups'][$fname]);
-              $row[] = array('data' => $cell, 'class' => $class);
+              $row[] = array('data' => filter_xss($cell), 'class' => $class);
@@ -282,7 +282,7 @@ function theme_content_admin_field_overv
             // add the group row in its own table above the group fields table, then reset $row().
             $fieldset = array(
-              '#title' => t('!label (!name)', array('!label' => $form['#group_labels'][$fname], '!name' => $fname)),
+              '#title' => t('!label (!name)', array('!label' => filter_xss($form['#group_labels'][$fname]), '!name' => $fname)),
               '#collapsible' => TRUE,
               '#collapsed' => FALSE,
               '#value' => theme('table', array(), array(array('data' => $row, 'class' => 'content-field-overview-group'))) . theme('table', $header, $grows),

Vendor Response

Vendor replies that because the vulnerability requires "administer content types" privilege to exploit, they will not release a security announcement.