Open source software security

Drupal Better Formats 6.x-1.2 XSS Vulnerability

30 November -0001

Description of Vulnerability

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Better Formats module (http://drupal.org/project/better_formats) contains a cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize format names before display.

Systems affected:

Drupal 6.16 with Better Formats 6.x-1.2 was tested and shown to be vulnerable

Impact

User could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise.

Mitigating factors:

In order to execute arbitrary script injection malicious users must have 'Administer filters' permission. The Drupal security team has classified vulnerabilities that require this permission (http://drupal.org/node/475848) as "display bugs" because access to this permission allows for alteration of input specifications that could allow users with permissions to create content to craft arbitrary PHP.

Patch:

Applying the following patch mitigates this issue in version 6.x-1.2

--- better_formats/better_formats.module	2010-02-05 08:59:18.000000000 -0500
+++ better_formats/better_formats.module	2010-04-27 11:35:53.444189426 -0400
@@ -537,7 +537,7 @@ function better_formats_filter_form($val
 
     $form = array(
       '#type' => 'fieldset',
-      '#title' => $fieldset_title,
+      '#title' => check_plain($fieldset_title),
       '#collapsible' => $collapsible,
       '#collapsed' => $collapsed,
       '#weight' => $weight,
@@ -551,7 +551,7 @@ function better_formats_filter_form($val
       $parents_for_id = array_merge($parents, array($format->format));
       $form[$format->format] = array(
         '#type' => 'radio',
-        '#title' => $format->name,
+        '#title' => check_plain($format->name),
         '#default_value' => $default,
         '#return_value' => $format->format,
         '#parents' => $parents,