Drupal Image Module XSS Vulnerability
Description of Vulnerability:
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Image module (http://drupal.org/project/image) "allows users with proper permissions to upload images into Drupal." The Image module contains a cross site scripting (XSS) vulnerability due to the fact that the module fails to sanitize gallery names before display.
Drupal 6.19 with Image 6.x-1.0 was tested and shown to be vulnerable
User could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise. Cross site scripting can also be used to attack users via client side application vulnerabilities (such as exploits in browsers or plugins) leading to user machine compromises.
In order to exploit this vulnerability the attacker must have the ability to edit or create image galleries.
Proof of concept:
- Install Drupal 6-19, Image module version 6.x-1.0
- Enable the Image and Image Gallery modules from ?q=/admin/build/modules
- Create a new Gallery from ?q=admin/content/image/add, enter "<script>alert('xss');</script>" for the 'Gallery name:'
- View the gallery listing at ?q=image and click on the gallery name or navigate directly to the new gallery at ?q=image/tid/1
The following patch mitigates this issue.
--- image/contrib/image_gallery/image_gallery.pages.inc 2010-08-03 13:43:00.000000000 -0400 +++ image.fixed/contrib/image_gallery/image_gallery.pages.inc 2010-12-13 15:55:42.737341682 -0500 @@ -72,7 +72,7 @@ function image_gallery_page($type = NULL $breadcrumb = l($parent->name, 'image/tid/' . $parent->tid); } drupal_set_breadcrumb($breadcrumb); - drupal_set_title($gallery->name); + drupal_set_title(check_plain($gallery->name)); } return theme('image_gallery', $galleries, $images);
Upgrade to the latest version. (Ref: http://drupal.org/node/1005578)