Drupal 5.17 Taxonomy (Core) Module Contains XSS Vulnerability

30 November -0001

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and supported by a MySQL database. The power of Drupal systems is extended by various modules. Most modules are developed by third parties, but there is a set of "core" modules that are provided as part of a standard Drupal installation.

Drupal 5.17 Taxonomy module, which is part of the Drupal core and is enabled by default upon installation, contains a cross site scripting vulnerability that allows users with the 'administer taxonomy' permission to inject arbitrary HTML in the help text of any Category vocabulary. This arbitrary HTML will be displayed when any user attempts to create new content associated with the taxonomy.

Proof of concept:

  1. Log in to Drupal 5.17 as a user with administer taxonomy permissions
  2. Create a new content category using Administer -> Categories -> Add Vocabulary
  3. Enter "<script>alert('xss');</script>" in the 'Help text:' field, check the 'Page' and 'Story' checkboxes under 'Types' and fill out arbitrary values for other fields.
  4. Click 'Submit'
  5. Create new content by clicking the 'Create content' link and then click either 'Page' or 'Story'
  6. A JavaScript alert will appear

This vulnerability is especially dangerous as it targets content creators, who are likely to have elevated privileges in Drupal. Extreme care should be given to those users granted the 'administer taxonomy' privilege until a fix is available.