Drupal Date 6.x-2.2 and Calendar 6.x-2.1 XSS Vulnerability

30 November -0001

Vulnerability Report

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Date and Calendar modules (http://drupal.org/project/date, http://drupal.org/project/calendar) provides functionality for constructing views based on dates for calendar type displays. The Calendar module suffers from a cross site scripting (XSS) vulnerability due to the fact that it does not properly sanitize names during display.

Systems affected:

Drupal 6.12 with Date 6.x-2.2, Calendar 6.x-2.1 and Views 6.x-2.6 was tested and shown to be vulnerable

Impact

Authenticated users can exploit this vulnerability to escalate privilege and take control of the web server process.

Mitigating factors:

Attacker must have 'use date tools' permissions in order to exploit this vulnerability. Permissions to 'administer views' are required to be affected by the XSS (otherwise injected code results on pages to which the user is denied access).

Proof of concept:

  1. Install Drupal 6.12.
  2. Install Views, Date, and Calendar and enable all functionality through Administer -> Modules
  3. Click Administer -> Content management -> Date Tools
  4. Click 'Date wizard' to create a new content type
  5. Enter "<script>alert('xss');</script> in the "Content type label" textarea
  6. Enter arbitrary data in other fields
  7. Click 'save' to view JavaScript alert

Alternatively this XSS can also be triggered by viewing content type:

  1. Click Administer -> Content management -> Date tools
  2. Click the 'calendar_date' link next to the new content type
  3. Observe JavaScript alert

Alternatively this XSS can also be triggered by editing the new view from Administer -> Site building -> Views and clicking 'Edit' next to the new 'calendar_date' view.

Timeline:

05-19-09 Drupal security notified of vulnerability
05-21-09 Drupal security acknowledges vulnerability, advises June 3 fix
06-02-09 Drupal security advises module maintainer asks for extension, advise June 10 fix
06-10-09 Drupal security advises revised fix schedule
07-23-09 ORIGINATOR advises over a month has passed without update and that disclosure will be made within 24 hours unless circumstances have changed. ORIGINATOR receives no response.
07-24-09 Public disclosure
07-29-09 Vendor releases SA-CONTRIB-2009-047 and SA-CONTRIB-2009-046 along with official patch

Patch

In order to mitigate this vulnerability apply the following patch:

--- calendar/includes/calendar_plugin_display_page.inc  2009-01-10 15:04:17.000000000 -0500
+++ calendar/includes/calendar_plugin_display_page.inc  2009-07-24 08:55:23.234846590 -0400
@@ -107,7 +107,7 @@ class calendar_plugin_display_page exten
     $options['calendar_date_link'] = array(
       'category' => 'calendar_settings',
       'title' => t('Add new date link'),
-      'value' => !empty($default) ? node_get_types('name', $default) : '',
+      'value' => !empty($default) ? check_plain(node_get_types('name', $default)) : '',
     );
 
   }

Vendor Response

SA-CONTRIB-2009-047 and SA-CONTRIB-2009-046