Drupal Email Field 6.x-1.1 XSS Vulnerability

30 November -0001

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Email Field module (http://drupal.org/project/email) is a module that extends the Content Construction Kit (CCK) module (http://drupal.org/project/cck). It allows for a CCK field type for e-mail.

The Email Field module contains a cross site scripting vulnerability due to the fact that it fails to sanitize help text entered by users during content type configuration.

Systems affected:

Drupal 6.12 with Email Field 6.x-1.1 was tested and shown to be vulnerable.

Impact:

XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise. SQL injection attack can manipulate the Drupal database, compromising data, exposing credentials, and could allow injection of XSS attacks in node content.

Mitigating factors:

The CCK and Email Field modules must be installed must be installed. To carry out the proof of concept below the attacker must authenticate as a user with 'administer content type' permissions. Other attack vectors may exist.

Proof of Concept:

  1. Install the CCK and Email field modules
  2. Log in as a user with 'Administer content types' privilege
  3. Click Administer -> Content Types
  4. Click 'Add a new content type' link
  5. Fill in arbitrary values
  6. Click 'Save content type' button
  7. Click 'manage fields' under the Operations column on the 'Administer' -> 'Content management' screen for the new content type
  8. Fill in a new field label and field name
  9. Select 'Email' for the type of data to story
  10. Click the 'Save' button
  11. In the "Help text:" field enter "<script>alert('xss');</script>"
  12. Click the 'Save field settings' button
  13. Click the 'Configure' link next to the new 'Email' type
  14. Observe JavaScript alert

-or-

  1. Click 'Create content' link
  2. Click link for newly created type
  3. Observe JavaScript alert

Vendor Response

Drupal security has consistently declined to issue a security announcement and instead refered to http://drupal.org/node/372836 in response to vulnerabilities that require 'Administer Content Type' permissions.

Follow up

The following patch was submitted to the module maintainer and should mitigate the vulnerability (Ref http://drupal.org/node/485492):

--- email/email.module	2008-08-12 04:12:02.000000000 -0400
+++ email_fixed/email.module	2009-06-08 15:03:40.000000000 -0400
@@ -221,7 +221,7 @@ function email_textfield_process($elemen
   $element[$field_key] = array(
     '#type' => 'textfield',
     '#title' => t($field['widget']['label']),
-    '#description' => t($field['widget']['description']),
+    '#description' => filter_xss(t($field['widget']['description']), $allowed_tags = array('a','b','big','code','del','em','i','ins','pre','q','small','span','strong','sub','sup','tt','ol','ul','li','p','br','img')),
     '#required' => $element['#required'],
     '#maxlength' => 255,
     '#size' => !empty($field['widget']['size']) ? $field['widget']['size'] : 60,