Open source software security

Drupal Organic Groups Menu Module 6.x-2.0 XSS Vulnerability

30 November -0001

Description of Vulnerability:

CVE-2010-1747

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal OG Menu module (http://drupal.org/project/og_menu) "allows users to manage menus by Organic Groups." The Drupal OG Menu module contains a cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize menu descriptions before display.

Systems affected:

Drupal 6.16 with OG Menu 6.x-2.0 was tested and shown to be vulnerable

Impact

User could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise.

Mitigating factors:

In order to execute the proof of concept described below malicious users must have 'Administer og menu' permission.

Proof of Concept:

  1. Install Drupal 6.16, Organic Groups module and OG Menu module
  2. Create or view a piece of content in an organic group
  3. Click on the 'Menu' link to view ?q=node/XX/og_menu where XX is the node id
  4. Click the 'Add Menu' link to view ?q=node/XX/og_menu/add
  5. Fill in arbitrary values for the 'Menu name' and 'Title', enter "<script>alert('xss');</script>" in the 'Description' text area
  6. Click the 'Save' button
  7. View the menu at ?q=node/13/og_menu/ to observe the JavaScript alert

Patch:

Applying the following patch mitigates this issue in version 6.x-2.0

--- og_menu/og_menu.module	2010-02-09 07:33:31.000000000 -0500
+++ og_menu/og_menu.module	2010-05-06 13:26:44.080266269 -0400
@@ -333,6 +333,7 @@ function og_menu_overview_page($node) {
   while ($menu = db_fetch_array($result)) {
     $menu['href'] = 'node/'. $node->nid .'/og_menu/'. $menu['menu_name'];
     $menu['localized_options'] = array();
+    $menu['description'] = check_plain($menu['description']);
     $content[] = $menu;
   }
   return theme('admin_block_content', $content);

Vendor Response:

Module has been unpublished per SA-CONTRIB-2010-073.