Drupal Vote UP Down 6.x-3.0 XSS Vulnerability

12 January 2012

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Vote Up Down module (https://drupal.org/project/vote_up_down) contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize taxonomy terms before display.

Systems affected:

Drupal 6.22 with Vote Up Down 6.x-3.0 was tested and shown to be vulnerable

Impact

User could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise.

Mitigating factors:

In order to execute arbitrary script injection malicious users must have the ability to create or edit taxonomy terms.

Proof of Concept Exploit:

  1. Install and enable the Vote Up Down and VotingAPI modules
  2. Create a new taxonomy vocubulary at ?q=admin/content/taxonomy/add/vocabulary, apply it to the 'Story' content type
  3. Select 'Tags' in the 'Settigns' for the taxonomy
  4. Add voting to the Story type at ?q=admin/settings/voteupdown/term by checking 'Story' and saving
  5. Create a new Story at ?q=node/add/story and add "<script>alert('xss');</script>" in the taxonomy area
  6. Save the story to view the rendered JavaScritp alert