Drupal Webform Validation Module XSS

1 December 2011
Reported: August 31, 2011

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Webform Validation module (http://drupal.org/project/webform_validationt) is designed to provide additional verification for nodes using the Webform module (http://drupal.org/project/webform). The Webform Validation module contains multiple cross site scripting (XSS) vulnerabilities due to the fact that it fails to sanitize rule names or custom error messages before display.

Systems affected:

Drupal 6.22 with Webform Validation 6.x-1.4 was tested and shown to be vulnerable. Other versions may also be affected.

Impact

User could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise. A more likely scenario would be for an attacker to inject hidden content (such as iframes, applets, or embedded objects) that would attack client browsers in an attempt to compromise site users' machines. This vulnerability could also be used to launch cross site request forgery (XSRF) attacks against the site that could have other unexpected consequences.

Mitigating factors:

Sites must utilize the Webform and Webform Validation module to be vulnerable. In order to exploit this vulnerability the attacker must have credentials to an authorized account that has been assigned the permissions to create or edit webform nodes. This could be accomplished via social engineering, brute force password guessing, or abuse or legitimate credentials.

Proof of Concept:

  1. Install Drupal and the Webform and Webform Validation modules
  2. Create a new webform node at ?q=node/add/webform with arbitrary content
  3. View validation rules for the webform by viewing the node, clicking the 'Webform' tab then the 'Form validation' sub-tab or at the URL ?q=node/XXX/webform/validation where 'XXX' is the node id
  4. Click on the 'Equal values' link under the 'Add a validation rule' heading
  5. Enter "<script>alert('xss');</script>" for the rule name and select two components.
  6. Click 'Add rule' to save the script
  7. Viewing the validation rules for the node now presents the persistent XSS

-Second proof-

  1. Follow steps 1-3 above
  2. Click the 'Specific value(s)' link under the 'Add a validation rule' heading
  3. Enter "<script>alert('xss');</script>" in the 'Custom error message' text area and arbitrary values for other fields.
  4. Click 'Add rule'
  5. View the webform node and submit the form without the values specified in the '(Key) value' form field from step 3 to trigger the rule
  6. The resulting error message will render the arbitrary script from step 3

Vendor Response:

SA-CONTRIB-2011-056 - Upgrade to latest version of Webform validation module.