Drupal 6.12 (core) User Module XSS Vulnerability
Vendor Notified: 05/19/09
Vendor Response: Drupal security team notes that this vulnerability has been publicly disclosed since October 2, 2008 and it is not considered a "security risk." Ref: http://drupal.org/node/316136.
Description of Vulnerability:
Drupal 6.12 was tested and shown to be vulnerable
Authenticated users with 'administer permissions' can exploit this vulnerability to attack other users with privileges to view roles.
Attacker must have 'administer permissions' permissions in order to exploit this vulnerability. Having this permission would allow a user to elevate permissions of their own role so this vulnerability would represent a more subtle attack vector.
Proof of concept:
- Install Drupal 6.12.
- Click Administer -> User management -> Roles
- Enter "<script>alert('xss');</script>" in the "Name" textarea
- Click the "Add Role" button
Note that this XSS affects several other screens in the Drupal 6 administrative back end.