Drupal Biblio Module 6.x-1.5 XSS Vulnerability

30 November -0001

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Biblio module (http://drupal.org/project/biblio) "allows users manage and display lists of scholarly publications." The Biblio module creates customized views in order to display these listings.

The Biblio module contains a cross site scripting vulnerability because it does not properly sanitize output of titles before display.

Systems affected:

Drupal 6.13 with Biblio 6.x-1.5 was tested and shown to be vulnerable.

Impact:

Cross site scripting (XSS) vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.

Mitigating factors:

The Biblio module must be installed. To carry out a Biblio based XSS exploit against the module the attacker must be able to inject malicious content into Biblio titles which requires the 'create biblio' permission.

Technical details:

The Biblio module fails to sanitize the output of the title of the Biblio on line 203 of biblio/biblio_theme.inc before display. Applying the patch below fixes this vulnerability.

Patch

Applying the following patch mitigates these threats.

--- biblio/biblio_theme.inc     2009-06-05 22:14:24.000000000 -0400
+++ biblio/biblio_theme.inc     2009-07-22 11:46:48.885831673 -0400
@@ -200,7 +200,7 @@ function theme_biblio_tabular($node, $ba
   $fields = _biblio_get_field_information($node->biblio_type, TRUE);
   $rows[] = array(
     array('data' => t('Title'), 'class' => 'biblio-row-title'),
-    array('data' => $node->title)
+    array('data' => check_plain($node->title))
   );
   $rows[] = array(
     array('data' => t('Publication Type'), 'class' => 'biblio-row-title'),

Vendor Response

SA-CONTRIB-2009-048