Drupal Panels 6.x-3.9 XSS Vulnerability

19 January 2012

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Panels module (http://drupal.org/project/panels) "allows a site administrator to create customized layouts for multiple uses. At its core it is a drag and drop content manager that lets you visually design a layout and place content within that layout." Unfortunately the Panels module contains a persistent arbitrary HTML injection vulnerability (also known as cross site scripting, or XSS) due to the fact that it fails to user supplied input before display.

Systems affected:

Drupal 6.22 with Panels 6.x-3.9 was tested and shown to be vulnerable.

Impact

The Panels module is deployed on over 100,000 Drupal sites according to the module project page. User could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise. A more likely scenario would be for an attacker to inject hidden content (such as iframes, applets, or embedded objects) that would attack client browsers in an attempt to compromise site users' machines. This vulnerability could also be used to launch cross site request forgery (XSRF) attacks against the site that could have other unexpected consequences.

Mitigating factors:

In order to exploit this vulnerability the attacker must have credentials to an authorized account that has been assigned the 'use page manager' and 'administer advanced pane settings' permissions. This could be accomplished via social engineering, brute force password guessing, or abuse or legitimate credentials.

Proof of concept exploit:

  1. Install Drupal 6-22, Panels 6.x-3.9, 6.x-1.8 and Ctools module (a prerequisite)
  2. Enable the Panels module and the page manager in Ctools from ?q=/admin/build/modules
  3. Go to ?q=admin/build/panels/layouts/add
  4. Click 'Add flexible layout' beneath the 'Layouts' tab at the top
  5. Enter an arbitrary title, name and description
  6. Click the 'Row' link and select 'Add region to right'
  7. Enter '"><script>alert("xss1");</script><div' for the 'Region title:'
  8. Click 'Save'
  9. Observe rendered Javascript.
  10. Click 'Save' to sae the layout, XSS will persist at the URL:
  11. ?q=admin/build/panels/layouts/list/[name]/edit where [name] is the administrative name of the layout

Patch:

Applying the following patch mitigates this issue in version 6.x-3.9
--- panels/plugins/display_renderers/panels_renderer_editor.class.php	2010-10-29 15:05:21.000000000 -0400
+++ panels/plugins/display_renderers/panels_renderer_editor.class.php	2011-11-29 21:30:34.121425387 -0500
@@ -91,7 +91,7 @@ class panels_renderer_editor extends pan
     // @todo this should be panel-region not panels-display -- but CSS and .js has to be updated.
     $output = "<div class='panels-display' id='panel-pane-$region_id'>";
     $output .= $panel_buttons;
-    $output .= "<h2 class='label'>" . $this->plugins['layout']['panels'][$region_id] . "</h2>";
+    $output .= "<h2 class='label'>" . check_plain($this->plugins['layout']['panels'][$region_id]) . "</h2>";
     $output .= $content;
     $output .= "</div>";

Vendor Response:

Update to the latest version of Panels (ref: SA-CONTRIB-2012-011 https://drupal.org/node/1409436).