Drupal Wikitools 6.x-1.2 and 5.x-1.3 XSS Vulnerability

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Wikitools module (http://drupal.org/project/wikitools) "provides some settings to get a more wiki-like behavior. It aims to be lightweight; all features are optional, and it provides no database tables of its own."

The Wikitools module contains a cross site scripting vulnerability because it does not properly sanitize output of content types before display.

Systems affected:

Wikitools 6.x-1.2 and 5.x-1.3 were tested and shown to be vulnerable.

Impact:

XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.

Mitigating factors:

The Wikitools module must be installed. To carry out a Site map based XSS exploit the attacker must have 'administer content type' permissions.

Proof of Concept:

1. Install Drupal
2. Install Wikitools
3. Create a new content type from Administer -> Content management -> Content types -> Add content type
4. Enter "<script>alert('xss');</script>" for the content type name and save the new content type
5. Enable the Wikitools module from Administer -> Site Building -> Modules
6. Click on Administer -> Site configuration -> Wikitools to observe the JavaScript

Technical details:

The Wikitools module fails to sanitize the output of content type names before display, leading to an arbitrary HTML injection vulnerability.

Patch for wikitools 5.x-1.3

Applying the following patch mitigates these threats in Wikitools 5.x-1.3.

--- wikitools/wikitools.module  2009-03-25 15:15:47.000000000 -0400
+++ wikitools.fixed/wikitools.module    2009-10-09 12:04:03.055556867 -0400
@@ -132,7 +132,7 @@ function wikitools_admin_settings() {
   $form['wikitools_node_types'] = array(
     '#type' => 'checkboxes',
     '#title' => t('Wiki node types'),
-    '#options' => node_get_types('names'),
+    '#options' => array_map('filter_xss', node_get_types('names')),
     '#size' => count(node_get_types('names')),
     '#default_value' => wikitools_node_types(),
     '#multiple' => TRUE,

Patch for wikitools 6.x-1.2

Applying the following patch mitigates these threats in Wikitools 6.x-1.2.

--- wikitools/wikitools.admin.inc       2009-06-17 23:57:33.000000000 -0400
+++ wikitools/wikitools.admin.inc 2009-10-09 14:38:06.020099834 -0400
@@ -37,7 +37,7 @@ function wikitools_admin_settings() {
   $form['wikitools_node_types'] = array(
     '#type' => 'checkboxes',
     '#title' => t('Wiki node types'),
-    '#options' => node_get_types('names'),
+    '#options' => array_map('filter_xss', node_get_types('names')),
     '#default_value' => wikitools_node_types(),
     '#multiple' => TRUE,
     '#description' => t('Select the node types which will be affected by the specified options. If you select multiple node types, all nodes of these types will be searched for when a wikipath is entered. If a wikipage doesn\'t exist, an option to create any of these types will be given.'),

Vendor Response

In the past the vendor has responded that vulnerabilities requiring 'administer content types' privileges have already been addressed by SA-CORE-2009-002 (http://drupal.org/node/372836) and thus are not classified as security vulnerabilities, but rather as bugs.