Drupal 5.20 and 6.14 Filter Module (Core) XSS Vulnerabilities

30 November -0001

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. Drupal 5.20 and Drupal 6.14 contain several core modules that enable basic functionality, including the filter module.

The filter module in Drupal 5.20 and 6.14 contains a cross site scripting (XSS) vulnerability because it does not properly sanitize the 'Site name' variable before display.

Systems affected:

Drupal 5.20 and Drupal 6.14 were tested and shown to be vulnerable.

Impact:

XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.

Mitigating factors:

To carry out a filter based XSS exploit the attacker must have 'administer site configuration' permissions.

Proof of Concept 1:

  1. Install Drupal
  2. Install Wikitools
  3. Change the site name from Administer -> Site configuration -> Site information
  4. Enter "<script>alert('xss');</script>" for the 'Name' and click 'Save configuration'
  5. View the new content creation form by clicking Create content -> Page
  6. Click the 'Input format' link to expand that area of the form
  7. Click the 'More information about formatting options' link (or browse to the '?q=filter/tips' URL)
  8. Observe the rendered Javascript

Patch for Drupal 6

Applying the following patch mitigates these threats in Drupal 6.14.

--- filter/filter.module   2009-10-09 15:06:20.326103353 -0400
+++ filter/filter.module        2009-10-09 15:09:21.611265554 -0400
@@ -188,7 +188,7 @@ function filter_filter_tips($delta, $for
 <p>This site allows HTML content. While learning all of HTML may feel intimidating, learning how to use a very small number of the most basic HTML "tags" is very easy. This table provides examples for each tag that is enabled on this site.</p>
 <p>For more information see W3C\'s <a href="http://www.w3.org/TR/html/">HTML Specifications</a> or use your favorite search engine to find other sites that explain HTML.</p>');
               $tips = array(
-                'a' => array( t('Anchors are used to make links to other pages.'), '<a href="'. $base_url .'">'. variable_get('site_name', 'Drupal') .'</a>'),
+                'a' => array( t('Anchors are used to make links to other pages.'), '<a href="'. $base_url .'">'. filter_xss(variable_get('site_name', 'Drupal')) .'</a>'),
                 'br' => array( t('By default line break tags are automatically added, so use this tag to add additional ones. Use of this tag is different because it is not used with an open/close pair like all the others. Use the extra " /" inside the tag to maintain XHTML 1.0 compatibility'), t('Text with <br />line break')),
                 'p' => array( t('By default paragraph tags are automatically added, so use this tag to add additional ones.'), '<p>'. t('Paragraph one.') .'</p> <p>'. t('Paragraph two.') .'</p>'),
                 'strong' => array( t('Strong'), '<strong>'. t('Strong') .'</strong>'),

Patch for Drupal 5

Applying the following patch mitigates these threats in Drupal 5.20.

--- filter/filter.module   2009-10-09 15:12:28.781103173 -0400
+++ filter/filter.module        2009-10-09 15:12:37.655254084 -0400
@@ -170,7 +170,7 @@ function filter_filter_tips($delta, $for
 <p>This site allows HTML content. While learning all of HTML may feel intimidating, learning how to use a very small number of the most basic HTML "tags" is very easy. This table provides examples for each tag that is enabled on this site.</p>
 <p>For more information see W3C\'s <a href="http://www.w3.org/TR/html/">HTML Specifications</a> or use your favorite search engine to find other sites that explain HTML.</p>');
               $tips = array(
-                'a' => array( t('Anchors are used to make links to other pages.'), '<a href="'. $base_url .'">'. variable_get('site_name', 'Drupal') .'</a>'),
+                'a' => array( t('Anchors are used to make links to other pages.'), '<a href="'. $base_url .'">'. filter_xss(variable_get('site_name', 'Drupal')) .'</a>'),
                 'br' => array( t('By default line break tags are automatically added, so use this tag to add additional ones. Use of this tag is different because it is not used with an open/close pair like all the others. Use the extra " /" inside the tag to maintain XHTML 1.0 compatibility'), t('Text with <br />line break')),
                 'p' => array( t('By default paragraph tags are automatically added, so use this tag to add additional ones.'), '<p>'. t('Paragraph one.') .'</p> <p>'. t('Paragraph two.') .'</p>'),
                 'strong' => array( t('Strong'), '<strong>'. t('Strong'). '</strong>'),

Vendor Response

According to Vendor website this vulnerability requires "advanced permissions" and will not be addressed (ref http://drupal.org/node/475848).