Drupal Activity 6.x-1.2 Multiple XSS Vulnerabilities

28 March 2012

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. "The Activity module keeps track of the things people do on your site and provides mini-feeds of these activities in blocks, in a specialized table, and via RSS." The Drupal Activity module (https://drupal.org/project/activity) contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize flag titles before display. The Activity module also fails to sanitize tokenized messages on output, leading to another persistent XSS vulnerability.

Systems affected:

Drupal 6.22 with Activity 6.x-1.2 was tested and shown to be vulnerable

Impact

Users can inject arbitrary HTML (including JavaScript) in order to attack site users, including administrative users. This could lead to account compromise, which could in turn lead to web server compromise, or expose administrative users to client side malware attacks.

Mitigating factors:

In order to inject arbitrary script malicious users must have the ability "administer flags" to exploit the flag title display vulnerability. Malicious user must have "administer activity" to exploit the tokenized string display vulnerability.

Proof of Concept Exploits:

  1. Install and enable the Activity and Flag modules
  2. Add a new Flag with an arbitrary name at ?q=admin/build/flags/add
  3. On the resulting page (?q=admin/build/flags/add/node/[name]) enter "<script>alert('xss');</script>" for the flag Title
  4. View the rendered Javascript at /?q=admin/settings/activity/flagactivity
  1. As above
  2. Alter the "Comment: Insert:" field in the "Message visible to the "All" role" fieldgroup at ?q=admin/settings/activity/commentactivity to insert the text "<script>alert('xss');</script>"
  3. Move the "Activity (All): show all recent activity" block to a visible content region at ?q=admin/build/block
  4. Create a story at ?q=node/add/story
  5. Log out
  6. As anonymous user add a comment at ?q=comment/reply/X#comment-form where X is the nid of the story from step #4
  7. Submit the comment to view the rendered JavaScript alert in the Activity block or log back in to see the JavaScript at ?q=activity

Patch:

The following patch mitigates these vulnerabilities.
--- activity/activity.module	2009-04-26 21:45:25.000000000 -0400
+++ activity.fixed/activity.module	2012-01-26 06:34:56.014821191 -0500
@@ -311,7 +311,7 @@ function activity_module_settings(&$form
         '#type' => 'checkboxes',
         '#title' => t('Token types'),
         '#description' => t('Select the token types that you wish to record activity from.'),
-        '#options' => $info['types'],
+        '#options' => array_map("filter_xss", $info['types']),
         '#default_value' => variable_get($module .'_token_types', array_keys($info['types'])),
         '#attributes' => array('class' => 'activity-token-types'),
       );
@@ -350,7 +350,7 @@ function activity_module_settings(&$form
                 if (count($types) > 1) {
                   $form[$module][$role_name][$type_name] = array(
                     '#type' => 'fieldset',
-                    '#title' => t($type),
+                    '#title' => filter_xss(t($type)),
                     '#collapsible' => TRUE,
                     '#collapsed' => TRUE,
                   );
@@ -1034,7 +1034,7 @@ function activity_token_replace($activit
     activity_invoke_activityapi($activity, 'render');
     $message = token_replace($pattern, $module, $data);
     $message = token_replace($message, 'activity', $data);
-    return $message;
+    return filter_xss($message);
   }
 }