Drupal 6 Core Cross Site Scripting Vulnerabilities

30 November -0001

Drupal 6.12 core contains two oft used functions that fail to properly sanitize output. Drupal utilizes the non-standard method of user supplied input sanitizing by scrubbing data as it is retrieved from the data layer, rather than as it is submitted. This leads to many instances of confusion amongst developers and vulnerabilities in Drupal modules. Even the Drupal core is not immune to these sorts of errors. Cross site scripting (XSS) vulnerabilities, or the injection of arbitrary HTML into the data layer that is later rendered without being sanitized, can lead to compromise of Drupal user accounts.

The Drupal node module, part of "core", is included with every Drupal installation. The node_get_types() function in the node module fails to properly sanitize content type names before returning them. Because this function is part of the Drupal core API it is used in many third party contributed modules. This leads to instances of cross site scripting vulnerabilities occurring in modules utilizing this API function without properly sanitizing the return values.

Similarly the Drupal user module is part of the Drupal core. The user module contains the function user_roles() which fails to properly sanitize role names, leading to XSS vulnerabilities in any module or function that utilizes the Drupal API call. Vulnerabilities of this type are not strictly limited to third party modules, but occur in the Drupal administrative interface on several screens.

Drupal developers often expect Drupal core API calls to properly sanitize data before returning it. The failure of such core API calls to sanitize output using check_plain() or similar functionality can lead to various XSS vulnerabilities occurring throughout Drupal modules.

Under normal circumstances only Drupal users with administrative privileges can create content types or roles so the scope of the vulnerability is limited. However, users with privileges to create content types or roles can inject arbitrary HTML into these fields and carry out XSS attacks against any module or function that utilizes either of these core API calls.