Drupal Zen Theme 6.x-1.1 XSS Vulnerability

30 November -0001

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides custom look and feel functionality with themes. The popular Zen theme (http://drupal.org/project/zen) contains a cross site scripting vulnerability due to the fact that it fails to properly sanitize breadcrumb separators upon display allowing arbitrary script injection.

Systems affected:

Zen 6.x-1.1 was tested and shown to be vulnerable

Mitigating factors:

Attacker must have 'administer site configuration' permissions or write access to the database in order to exploit this vulnerability. Additionally the breadcrumb configuration form limits the length to 10 characters.

Proof of concept:

  1. Install Drupal 6.16 and the Zen theme.
  2. Enable the Zen theme from Administer -> Site building -> Modules
  3. Go to Administer -> Site building -> Themes
  4. Click on the 'configure' link
  5. Enter "<em>!</em>" in the 'Breadcrumb separator' text area
  6. Click the 'Save configuration' button


Applying the following patch mitigates these threats.

--- zen/zen/template.php	2010-03-26 10:09:43.718371984 -0400
+++ zen/zen/template.php	2010-03-26 10:09:54.864395793 -0400
@@ -60,7 +60,7 @@ function zen_breadcrumb($breadcrumb) {
     // Return the breadcrumb with separators.
     if (!empty($breadcrumb)) {
-      $breadcrumb_separator = check_plain(theme_get_setting('zen_breadcrumb_separator'));
+      $breadcrumb_separator = theme_get_setting('zen_breadcrumb_separator');
       $trailing_separator = $title = '';
       if (theme_get_setting('zen_breadcrumb_title')) {
         if ($title = drupal_get_title()) {