Open source software security

Drupal Panels 5.x-1.2 XSS Vulnerability

30 November -0001

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Panels module (http://drupal.org/project/panels) "allows a site administrator to create customized layouts for multiple uses. At its core it is a drag and drop content manager that lets you visually design a layout and place content within that layout." Unfortunately the Panels module contains an arbitrary HTML injection vulnerability (also known as cross site scripting, or XSS) due to the fact that it fails to sanitize div classes and id specifications for panels before display.

Systems affected:

Drupal 5.21 with Panels 5.x-1.2 was tested and shown to be vulnerable

Impact

User could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise. A more likely scenario would be for an attacker to inject hidden content (such as iframes, applets, or embedded objects) that would attack client browsers in an attempt to compromise site users' machines. This vulnerability could also be used to launch cross site request forgery (XSRF) attacks against the site that could have other unexpected consequences.

Mitigating factors:

In order to exploit this vulnerability the attacker must have credentials to an authorized account that has been assigned the 'use page manager' and 'administer advanced pane settings' permissions. This could be accomplished via social engineering, brute force password guessing, or abuse or legitimate credentials.

Proof of concept:

  1. Install Drupal 5, Panels 5.x-1.2 and Ctools module (a prerequisite)
  2. Enable the Panels module and the page manager in Ctools from ?q=/admin/build/modules
  3. Administer panels from ?q=/admin/build/panels and click on the 'Panel page' link on the left
  4. Check 'Make this your site home page' and fill in arbitrary values for the rest
  5. In the resulting screen (?q=admin/build/pages/add/page-[page_name]/next) select the 'Flexible' and 'Builders' from the Category drop down
  6. Click continue
  7. Enter arbitrary values in the resulting form
  8. Click finish then 'Update and save'
  9. In the Panel Content designer (?q=admin/build/pages/nojs/operation/page-[page_name]/handlers/page_[page_name]_panel_context/content click the gear in the 'Center' region
  10. Select 'Add content'
  11. Select 'Existing node' and enter the nid of an existing node.
  12. Click the gear to the right of the header in the new box preview of the node
  13. Select 'CSS Properties'
  14. In the shadow box that pops up enter '"><script>alert('xss1');</script><div id="' for the 'CSS ID'
  15. Enter '"><script>alert('xss1');</script><div id="' for the 'CSS class'
  16. Click 'Update and preview' to observe the Javascript alerts
  17. Click 'Save' to store these values so they are displayed on the home page

Patch:

Applying the following patch mitigates this issue in version 5.x-1.2

--- modules/panels/content_types/custom.inc	2007-03-15 19:13:41.000000000 -0400
+++ modules/panels/content_types/custom.inc	2011-01-14 12:04:23.371814132 -0500
@@ -16,8 +16,8 @@ function panels_custom_panels_content_ty
  */
 function panels_content_custom($conf) {
   $title      = filter_xss_admin($conf['title']);
-  $css_id     = filter_xss_admin($conf['css_id']);
-  $css_class  = filter_xss_admin($conf['css_class']);
+  $css_id     = str_replace('"', '', filter_xss_admin($conf['css_id']));
+  $css_class  = str_replace('"', '', filter_xss_admin($conf['css_class']));
   $body       = check_markup($conf['body'], $conf['format'], FALSE);
   return theme('panels_content_custom', $title, $body, $css_id, $css_class);
 }

Vendor Response:

Drupal security team no longer supports vulnerabilities in Drupal 5. Module maintainer notified in public forums.