Drupal Sitemap 6.x-1.1 XSS Vulnerability

30 November -0001

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Site Map module (http://drupal.org/project/site_map) "provides a site map that gives visitors an overview of your site. It can also display the RSS feeds for all blogs and categories."

The Site map module contains a cross site scripting vulnerability because it does not properly sanitize output of user defined messages before display.

Systems affected:

Drupal 6.14 with Site map 6.x-1.1 was tested and shown to be vulnerable.

Impact:

XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.

Mitigating factors:

The Site map module must be installed. To carry out the Site map based XSS proof of concept exploit below the attacker must have 'administer site configuration' permissions.

Proof of Concept:

  1. Install Drupal 6.14
  2. Install Site map 6.x-1.1
  3. Enable the Site map module from Administer -> Site building -> Modules
  4. Click Administer -> Site configuration -> Site map
  5. Enter "<script>alert('xss');</script>" in the 'Site map message' text area
  6. Enable the site map link in Administer -> Site building -> Menus -> Navigation by clicking the 'Enable' checkbox next to 'Site map' and clicking the 'Save configuration' button
  7. Click on the 'Site map' link in the navigation to observe the rendered JavaScript

Technical details:

The Site map module fails to sanitize the output of the site map message before display. Applying the following patch fixes this vulnerability.

Patch

Applying the following patch mitigates these threats.

--- site_map/site_map.module  2009-09-30 15:09:30.011119976 -0400
+++ site_map/site_map.module        2009-09-30 15:09:49.295134033 -0400
@@ -14,7 +14,7 @@ function site_map_help($path, $arg) {
   switch ($path) {
     case 'sitemap':
       $output = _sitemap_get_message();
-      return $output ? '<p>'. $output .'</p>' : '';
+      return $output ? '<p>'. filter_xss($output) .'</p>' : '';
   }
 }