Drupal 6.12 (core) User Module XSS Vulnerability

30 November -0001

Vendor Notified: 05/19/09

Vendor Response: Drupal security team notes that this vulnerability has been publicly disclosed since October 2, 2008 and it is not considered a "security risk." Ref: http://drupal.org/node/316136.

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through hundreds of third party modules. The user module is provided as part of the Drupal 6 core modules and contains a cross site scripting (XSS) vulnerability that can allow users with the 'administer permissions' permission to inject arbitrary HTML into role names. Users with 'administer permissions' permission could create new roles containing malicious JavaScript and silently attack site administrators. While users with this permission could elevate the permissions of their own role using permissions they have been granted, this flaw could allow for a "stealth" attack vector.

Systems affected:

Drupal 6.12 was tested and shown to be vulnerable

Impact

Authenticated users with 'administer permissions' can exploit this vulnerability to attack other users with privileges to view roles.

Mitigating factors:

Attacker must have 'administer permissions' permissions in order to exploit this vulnerability. Having this permission would allow a user to elevate permissions of their own role so this vulnerability would represent a more subtle attack vector.

Proof of concept:

  1. Install Drupal 6.12.
  2. Click Administer -> User management -> Roles
  3. Enter "<script>alert('xss');</script>" in the "Name" textarea
  4. Click the "Add Role" button
  5. Observe JavaScript alert

NB

Note that this XSS affects several other screens in the Drupal 6 administrative back end.