Mad Irish . net

Drupal Messaging Module XSS Vulnerability

30 November -0001

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Messaging Framework module (http://drupal.org/project/messaging) "is a Messaging Framework to allow message sending in a channel independent way."

The Messaging framework module contains multiple cross site scripting (XSS) vulnerabilities due to the fact that the user supplied input is not sanitized before display.

Systems affected:

Drupal 6.19 with Messaging 6.x-2.3, along with Messaging Framework 6.x-2.3, was tested and shown to be vulnerable

Impact

User could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise. Cross site scripting can also be used to attack users via client side application vulnerabilities (such as exploits in browsers or plugins) leading to user machine compromises.

Mitigating factors:

In order to exploit this vulnerability the attacker must have access to an account with the 'administer notifications' permission.

Proof of concept:

Install Drupal 6-19, Messaging module version 6.x-2.3
Alter the default messaging method at ?q=admin/messaging/settings/method so that it reads "Mail <script>alert('xss');</script>"
View the Messaging Settings at ?q=admin/messaging/settings to view the JavaScript alert
View the Messaging Templates at ?q=admin/messaging/template to view the JavaScript alert

Vendor response:

Upgrade to the latest version of messaging (http://drupal.org/node/1064014)

Patch:

Applying the following patch mitigates these vulnerabilities

--- messaging/messaging.admin.inc	2010-05-11 12:36:13.000000000 -0400
+++ messaging.fixed/messaging.admin.inc	2010-12-20 13:04:24.000000000 -0500
@@ -81,7 +81,7 @@ function messaging_admin_template() {
   messaging_method_list();
   foreach (messaging_method_info() as $method => $info) {
     $rows[] = array(
-      '<strong>'. $info['name'] .'</strong>',
+      '<strong>'. check_plain($info['name']) .'</strong>',
       !empty($info['description']) ? $info['description'] : ''
     );
   }
@@ -247,7 +247,7 @@ function messaging_admin_settings() {
   $form['general']['messaging_default_method'] = array(
     '#title' => t('Default send method'),
     '#type' => 'radios',
-    '#options' => $methods,
+    '#options' => array_map(check_plain, $methods),
     '#default_value' => variable_get('messaging_default_method', ''),
   );
   $form['general']['messaging_sender_name'] = array(