Drupal Taxonomy Manager 6.x-1.0 XSS Vulnerability

30 November -0001

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Taxonomy Manager (http://drupal.org/project/taxonomy_manager) is a module that "provides an [sic] powerful interface for managing a taxonomy vocabulary. A vocabulary gets displayed in a dynamic tree view, where parent terms can be expanded to list their nested child terms or can be collapsed." The Taxonomy Manager suffers from a cross site scripting (XSS) vulnerability because it fails to properly sanitize the "Vocabulary name" during output, allowing for the injection of arbitrary HTML.

Systems affected:

Drupal 6.12 with Taxonomy Manager 6.x-1.0 was tested and shown to be vulnerable.

Impact:

XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.

Mitigating factors:

Taxonomy Manager must be installed and enabled. Attacker must have 'administer taxonomy' permissions in order to carry out the proof of concept exploit detailed below. Note that the proof of concept provided utilizes known attack vectors, other vectors may exist.

Proof of concept:

  1. Install Drupal 6.12.
  2. Install and enable the Taxonomy Manager module
  3. Click on 'Administer' -> 'Taxonomy Manager'
  4. Click 'Add new vocabulary'
  5. Fill in "<script>alert('xss');</script>' for the 'Vocabulary name:' textarea value
  6. Enter arbitrary data for the rest of the input
  7. Click 'Save'
  8. In Administer -> Content management -> taxonomy click 'add terms' next to the new taxonomy
  9. Fill in arbitrary values for the new term
  10. Click 'Save'
  11. Click on Administer -> Content management -> Taxonomy Manager
  12. Click the link under 'Vocabularies:' for the new vocabulary
  13. View JavaScript alert.

Vendor Response:

Upgrade to latest version http://drupal.org/node/487818.