Drupal Email Field 6.x-1.1 XSS Vulnerability
Description of Vulnerability:
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Email Field module (http://drupal.org/project/email) is a module that extends the Content Construction Kit (CCK) module (http://drupal.org/project/cck). It allows for a CCK field type for e-mail.
The Email Field module contains a cross site scripting vulnerability due to the fact that it fails to sanitize help text entered by users during content type configuration.
Drupal 6.12 with Email Field 6.x-1.1 was tested and shown to be vulnerable.
XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise. SQL injection attack can manipulate the Drupal database, compromising data, exposing credentials, and could allow injection of XSS attacks in node content.
The CCK and Email Field modules must be installed must be installed. To carry out the proof of concept below the attacker must authenticate as a user with 'administer content type' permissions. Other attack vectors may exist.
Proof of Concept:
- Install the CCK and Email field modules
- Log in as a user with 'Administer content types' privilege
- Click Administer -> Content Types
- Click 'Add a new content type' link
- Fill in arbitrary values
- Click 'Save content type' button
- Click 'manage fields' under the Operations column on the 'Administer' -> 'Content management' screen for the new content type
- Fill in a new field label and field name
- Select 'Email' for the type of data to story
- Click the 'Save' button
- In the "Help text:" field enter "<script>alert('xss');</script>"
- Click the 'Save field settings' button
- Click the 'Configure' link next to the new 'Email' type
- Click 'Create content' link
- Click link for newly created type
Drupal security has consistently declined to issue a security announcement and instead refered to http://drupal.org/node/372836 in response to vulnerabilities that require 'Administer Content Type' permissions.
The following patch was submitted to the module maintainer and should mitigate the vulnerability (Ref http://drupal.org/node/485492):
--- email/email.module 2008-08-12 04:12:02.000000000 -0400 +++ email_fixed/email.module 2009-06-08 15:03:40.000000000 -0400 @@ -221,7 +221,7 @@ function email_textfield_process($elemen $element[$field_key] = array( '#type' => 'textfield', '#title' => t($field['widget']['label']), - '#description' => t($field['widget']['description']), + '#description' => filter_xss(t($field['widget']['description']), $allowed_tags = array('a','b','big','code','del','em','i','ins','pre','q','small','span','strong','sub','sup','tt','ol','ul','li','p','br','img')), '#required' => $element['#required'], '#maxlength' => 255, '#size' => !empty($field['widget']['size']) ? $field['widget']['size'] : 60,