Drupal Panels 6.x-3.3 Module XSS

30 November -0001

On Wednesday, May 20, 2010, Drupal security coordinated the announcement of security fixes to the Chaos Tools Suite (http://drupal.org/node/803944) and the Panels (http://drupal.org/node/803952) modules. The Panels module updates went hand in hand and fixed a number of issue. One of these was a cross site scripting (XSS) vulnerability that manifested in Panels module version 6.x-3.3 with Ctools 6.x-1.3 discovered by Martin Barbella.

Systems affected:

Drupal 6.16 with Panels 6.x-3.3, and Ctools 6.x-1.3 was tested and shown to be vulnerable.

Mitigating factors

Users with create content or administer panels privileges could use the proof of concept below to attack other site users, including site administrators.

Impact

Stored cross site scripting could be used to compromise administrative accounts leading to a full server compromise.

Proof of concept

  1. Install and enable Panels and CTools
  2. Create a node with the title "<script>alert(1)</script>" from ?q=node/add, note the node id
  3. Create a "panel node" ?q=from node/add/panel/choose-layout
  4. Choose the 'Single column' layout (?q=node/add/panel/onecol), any layout will work though
  5. Enter "<script>alert(2)</script>" for the 'Title' and arbitrary values for the rest
  6. Click 'Save' to save the panel
  7. Go to the panel content page for this node at ?q=node/XX/panel_content where XX is the node id
  8. Click the gear icon under 'Display settings' and select 'Add Content'
  9. In the lightbox pop up click 'New custom content'
  10. Enter "%node:title" in the 'Body' field, arbitrary values for 'Title' and 'Administrative title'
  11. Click the 'Finish' button
  12. Click the gear icon as in step 8 and click 'Existing node'
  13. Enter the nid from step #2 above in the 'Enter the title or NID fo a node:' text area
  14. Click 'Finish'
  15. Observe the JavaScript alert
  16. Click 'Save' to save the panel
  17. Observe the JavaScript alert, further views of the 'Panel content' will reveal this alert
  18. Click the 'View' tab to view the Panel at ?q=node/XX where XX is the nid of the panel
  19. Observe the second JavaScript.

Solution

Upgrade to the latest versions of Ctools and Panels.