Drupal Link 5.x-2.5 XSS Vulnerability

30 November -0001


Drupal (http://drupal.org) is a robust content management system (CMS) that provides extensibility through hundreds of third party modules. While the security of Drupal core modules is vetted by a central security team(http://drupal.org/security), third party modules are not reviewed for security.

The Link module (http://drupal.org/project/link) is a module that extends the Drupal CCK (Content Creation Kit) module (http://www.drupal.org/project/cck) by allowing users to add links to their content types.

Cross Site Scripting (XSS) Vulnerability

The Link module version 5.x-2.5 contains a XSS (http://en.wikipedia.org/wiki/Cross-site_scripting) vulnerability in the 'Help' field. Any user with rights to administer content types can edit a content type that contains a link field or create a content type that contains an link field. In the 'Widget settings' fieldset presented during configuration of the specific image field a textarea labeled 'Help text:' is presented. Arbitrary script can be entered into this text area and it is not escaped. This vulnerability is especially dangerous because the script executes whenever a user creates new content of the type with the XSS infected help text. This potentially exposes site administrators to the XSS attack.

Andrew Rosborough is also credited with finding this vulnerability.