Open source software security

Drupal Flag Module 6.x-1.1 XSS Vulnerability

30 November -0001

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Flag module (http://drupal.org/project/flag) "is a flexible flagging system that is completely customizable by the administrator. Using this module, the site administrator can provide any number of flags for nodes, comments, or users. Some possibilities include bookmarks, marking important, friends, or flag as offensive. With extensive views integration, you can create custom lists of popular content or keep tabs on important content."

The Flag module contains a cross site scripting vulnerability because it does not properly sanitize output of role names before display during flag creation.

Systems affected:

Drupal 6.13 with Flag 6.x-1.1 was tested and shown to be vulnerable.

Impact:

XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.

Mitigating factors:

The Flag module must be installed. To carry out a role based XSS exploit against the module the attacker must be able to inject malicious role names which requires 'administer permissions' privileges or write access to the Drupal database. Only users with permission to 'administer flags' are affected by this vulnerability.

Proof of Concept:

  1. Install Drupal 6.13
  2. Install Flag 6.x-1.1
  3. Enable the Flag and Flag actions modules from Administer -> Site building -> Modules
  4. Click the Administer -> User Management -> Roles link
  5. Enter "<script>alert('xss');</script>" in the 'Name' textarea and click the 'Add role' button
  6. (Note that this triggers a XSS, a vulnerability in 6.13 core)
  7. Click Administer -> Site Building -> Flags
  8. Click the 'Add' tab
  9. Fill in an arbitrary 'Flag name' and click the 'Submit' button
  10. Observe the JavaScript alert

Technical details:

The Flag module fails to sanitize role names on line 708 of flag.views.inc before display.

Vendor Response:

It is the position of Drupal security that "'administer permissions' allows arbitrary permission escalation already, so [...] we do not consider it a security vulnerability."

Patch

Applying the following patch mitigates these threats.

diff -up flag/flag.module flag_fixed/flag.module
--- flag/flag.module    2009-03-14 02:13:54.000000000 -0400
+++ flag_fixed/flag.module      2009-08-18 09:23:37.404047187 -0400
@@ -702,10 +702,11 @@ function flag_form(&$form_state, $name, 
     $form['roles']['#value'] = $flag->roles;
   }
 
+  $options = array_map('check_plain', node_get_types('names'));
   $form['types'] = array(
     '#type' => 'checkboxes',
     '#title' => t('What nodes this flag may be used on'),
-    '#options' => node_get_types('names'),
+    '#options' => $options,
     '#default_value' => $flag->types,
     '#description' => t('Check any node types that this flag may be used on. You must check at least one node type.'),
     '#required' => TRUE,