Drupal CCK 6.x-2.2 XSS Vulnerability
Vendor Notified: 05/18/09
Vendor Response: Karoly Negyesi of Drupal security denies issue exists. Drupal security has responded to reports of CCK based XSS vulnerabilities in past with http://drupal.org/node/372836, which basically shirks the issue. Although a problem clearly exists, Drupal seems unconcerned with fixing it, instead semantically hiding the vulnerability behind a reclassification of permissions that appears only in SA-CORE-2009-002 rather than in either the Drupal interface or documentation.
Description of Vulnerability:
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through hundreds of third party modules. The Drupal Content Creation Kit (CCK - http://drupal.org/project/cck) is a module that allows site maintainers to modify content types by associating custom fields with specific content types. The Drupal CCK module contains a vulnerability that could allow an authenticated attacker to inject arbitrary script into administration screens for content types. This could allow an attacker to issue a cross site scripting (XSS) attack against Drupal users with elevated privilege levels.
Drupal 6.12 with CCK 6.x-2.2 was tested and shown to be vulnerable
CCK must be installed and enabled. Attacker must have 'administer content types' permissions in order to exploit this vulnerability.
Proof of concept:
- Install Drupal 6.12.
- Install CCK and enable all CCK functionality through dminister -> Modules
- Click on Administer -> Content management -> Content types
- Select a type and click the 'manage fields' operation
- Click 'edit' to edit the node-type
- Expand the 'Submission form settings' input area
- Fill in "<script>alert('title');</script>" for the "Title field label"
- Fill in "<script>alert('body');</script>" for the "Body field label"
- Click 'Save content type'
- Click Administer -> Content Management -> Content types
- Click "manage fields" link for the type selected in #4 above