Drupal Print 6.x-1.7 Multiple XSS Vulnerabilities

30 November -0001

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Printer, e-mail and PDF versions (hereafter referred to as Print) module (http://drupal.org/project/print) allows for the generation of printer friendly versions of nodes, PDF version of nodes, and the sending of nodes to e-mail recipients. The Print module contains numerous stored cross site scripting (XSS) vulnerabilities:

Description of Vulnerability

The Print module contains a XSS vulnerability because it does not properly sanitize the output of the footers in printer friendly views. This allows users with 'administer print' permissions to inject arbitrary HTML in the footer field that is rendered whenever the printer friendly version of any node is displayed.

The Print module also contains a XSS vulnerability due to the fact that 'Stylesheet URL' input is not properly sanitized when displayed. This allows malicious users the ability to inject external stylesheet locations into the link tag displayed on printer friendly versions of nodes. This vulnerability, combined with Internet Explorer support for "expression" in CSS allows for XSS attacks.

The print module also contains a XSS vulnerability due to the fact that the 'site name' is not properly sanitized when displaying e-mail confirmation in the "Thank you for spreading the word about [site_name]" area. The print module also contains a XSS vulnerability due to the fact that it does not properly sanitize the 'Thank You Message:' input.

The print module also contains a XSS vulnerability due to the fact that it does not properly sanitize node titles for display in the breadcrumbs on printer friendly versions of nodes.

The print module also contains a XSS vulnerability due to the fact that it does not properly sanitize the 'font family' setting when displaying PDF versions of nodes.

Systems affected:

Drupal 6.12 with Print 6.x-1.7 and TCPDF 4.6.012 was tested and shown to be vulnerable to footer XSS injection. Drupal 6.12 with Print 6.x-1.7 and IE 6 was tested and shown to be vulnerable to link XSS njection. Additional testing indicated that the 5.x-4.7 branch of the Print module is also vulnerable.

Impact:

XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.

Mitigating factors:

Print must be installed and enabled. Attacker must have 'administer print' permissions in order to carry out the proof of concept exploit detailed below. Site administration permissions are required to carry out the site name injection described in the proof of concept below. Internet Explorer is vulnerable to the malicious style sheet inclusion proof of concept detailed below, other browsers may not be affected depending on their support for the 'expression' statement in cascading style sheets (CSS). Note that the proof of concept provided utilizes known attack vectors, other vectors may exist.

Proof of concept:

  1. Install Drupal 6.12.
  2. Install Print and enable all Print functionality through Administer -> Modules. Install TCPDF per the Print module INSTALL.txt
  3. In Administer -> Site configuration set the site name to "<script>alert('site name');</script>"
  4. Create a new content node with the title "<script>alert('node title');</script>"
  5. Click "Save configuration"
  6. Create malicious stylesheet at arbitrary URL (for this PoC the stylesheet is at http://192.168.0.2/style.css). Include the following:
    BODY {
    	width:expression(alert("stylesheet xss"));
    }
    
  7. Click on Administer -> Site Configuration -> Printer, e-mail and PDF versions
  8. Select the 'Settings' link
  9. Fill in "http://192.168.0.2/style.css' a='" for the "Stylesheet URL"
  10. Expand the "Footer options" input area
  11. Check the "User-specified" radio button
  12. Fill in "<script>alert('footer xss');</script>" for the "User-specified:" text input
  13. Click the "Save configuration" button
  14. Navigate to the homepage
  15. View the node created in step 3 above and click the "Printer-friendly version" link
  16. Observe three JavaScript alerts in IE, other browsers may only display the node title and footer XSS alerts.
  17. Return to the node view and click the "Send to friend" link. Fill in arbitrary values and click the "Send e-mail" button
  18. Observe the site name JavaScript alert
  19. Modify the PDF settings from Administer -> Site configuration -> Printer, e-mail and PDF versions.
  20. Fill in "dejavusans' <script>alert('font family');</script>" in the "Font Family:" text input.
  21. Click "Save configuration"
  22. View the node created in step 4 above, click the "PDF version" link
  23. Observe the JavaScript alert
  24. Note that this causes a white screen and TCPDF error

Timeline

May 27 - Issue reported to vendor
June 1 - Originator re-contacts vendor to confirm receipt
June 1 - Vendor confirms receipt
June 9 - Originator inquires as to possibility of June 10 fix
June 9 - Vendor replies maintainer contacted but June 10 fix unlikely
July 24 - Vendor reports a June 29 fix
July 29 - Vendor reports additional work necessary, fix delayed
August 20 - Vendor releases security announcement http://drupal.org/node/554448

Vendor Response

Upgrade to latest version http://drupal.org/node/554448.