Drupal Webform 6.x-2.7 and 5.x-2.7 XSS Vulnerabilities
Description of Vulnerability:
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Webform module (http://drupal.org/project/webform) "adds a webform nodetype to your Drupal site. Typical uses for Webform are questionnaires, contact or request/register forms, surveys, polls or a front end to issues tracking systems."
The Webform module contains a cross site scripting vulnerability because it does not properly sanitize output of webform component names before display.
Systems affected:
Drupal 6.13 with Webform 6.x-2.7 and Drupal 5.13 with Webform 5.x-2.7 were tested and shown to be vulnerable.
Impact:
XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.
Mitigating factors:
The Webform module must be installed. To carry out a Webform based XSS exploit against the module the attacker must be able to inject malicious content into webforms which requires the 'create webforms' permission.
Proof of Concept:
- Install Drupal 6.13 and Webform module
- Enable the module through Administer -> Modules
- Create a new webform by clicking Create content -> Webform
- Fill in 'Test' for the Title and click 'Submit' to save the new form
- In the resulting 'Form components table' fill in "<script>alert('xss');</script>" in the 'Name' for a new textfield component then click add.
- Click the 'Submit' button
- Click the 'Results' tab then the 'Analysis' sub-tab to view the 'xss' JavaScript alert.
Drupal 6 Technical details:
The Webform module fails to sanitize the output of the component name of the Webform on line 484 of webform/webform_report.inc before display. Applying the patch below fixes this vulnerability.
Patch for Drupal 6
Applying the following patch mitigates these threats.
diff -up webform/webform_report.inc webform_fixed/webform_report.inc
--- webform/webform_report.inc 2009-03-04 00:05:12.000000000 -0500
+++ webform_fixed/webform_report.inc 2009-08-25 12:27:14.496322592 -0400
@@ -481,7 +481,7 @@ function webform_results_analysis($node,
$crows = $analysis_function($component, $sids);
if (is_array($crows)) {
$row[0] = array('data' => '<strong>'. $question_number .'</strong>', 'rowspan' => count($crows) + 1, 'valign' => 'top');
- $row[1] = array('data' => '<strong>'. $component['name'] .'</strong>', 'colspan' => '10');
+ $row[1] = array('data' => '<strong>'.
check_plain($component['name']) .'</strong>', 'colspan' => '10');
$rows = array_merge($rows, array_merge(array($row), $crows));
}
}
Drupal 5 Technical details:
The Webform module fails to sanitize the output of the component name of the Webform on line 481 of webform/webform_report.inc before display. Applying the patch below fixes this vulnerability.
Patch for Drupal 5
Applying the following patch mitigates these threats.
--- webform_report.inc 2009-03-04 00:05:18.000000000 -0500
+++ webform_report.inc.fixed 2009-08-25 12:58:53.284318098 -0400
@@ -478,7 +478,7 @@ function webform_results_analysis($node,
$crows = $analysis_function($component, $sids);
if (is_array($crows)) {
$row[0] = array('data' => '<strong>'. $question_number
.'</strong>', 'rowspan' => count($crows) + 1, 'valign' => 'top');
- $row[1] = array('data' => '<strong>'. $component['name'] .'</strong>', 'colspan' => '10');
+ $row[1] = array('data' => '<strong>'.
check_plain($component['name']) .'</strong>', 'colspan' => '10');
$rows = array_merge($rows, array_merge(array($row), $crows));
}
}
Vendor Response
Upgrade to the latest version of the Webform module (http://drupal.org/node/604942).