Drupal Revisioning 6.x-3.13 XSS Vulnerability

9 February 2012

Vulnerability Report

Author: Justin C. Klein Keane <justin@madirish.net>
CVE: CVE-2012-1060
OSVDB: 78978

Description of Vulnerability:

Drupal is a robust content management system (CMS) written in PHP and MySQL. The Drupal Revisioning module (https://drupal.org/project/revisioning) "is a module for the configuration of workflows to create, moderate and publish content revisions." The Revisioning module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize tags before display.

Systems affected:

Drupal 6.22 with Revisioning 6.x-3.13 was tested and shown to be vulnerable

Impact

Users with the ability to create content and tags that is submitted to a review queue could include malicious JavaScript or HTML as part of their tags. This attack would then target content moderators (presumably users with higher privilege) which could lead to a silent account compromise and potential privilege escalation for attackers. Attackers could also expose content reviewers to targeted client side (malware) attacks, redirection (for phishing), or XSRF attacks.

Mitigating factors:

In order to execute arbitrary script injection malicious users must have the ability to create content with free taxonomy terms.

Proof of Concept Exploit:

  1. Install and enable the Revisioning module
  2. Enable the Taxonomy module (part of core)
  3. Create a new vocabulary at ?q=admin/content/taxonomy/add/vocabulary being sure to apply it to the 'Story' content ytpe and selecting 'Tags' for settings
  4. Edit the workflow settings for the Story content type at ?q=admin/content/node-type/story, selecting 'Create new revision'
  5. Create a new story at ?q=node/add/story putting "<script>alert('xss');</script>" as the tag for the Vocabulary created in step #3, check the 'Create new revision' and 'New revision in draft, pending moderation' checkboxes in the 'Revision information' fieldgroup
  6. Save the story
  7. View the 'Revisions' tab at ?q=node/X/revisions where X is the node ID to view the rendered JavaScript alert box

Patch:

The following patch mitigates this vulnerability:

--- revisioning/revisioning_theme.inc	2011-07-19 01:32:33.000000000 -0400
+++ revisioning.fixed/revisioning_theme.inc	2012-01-29 04:26:05.993398527 -0500
@@ -190,7 +190,7 @@ function theme_revisioning_revisions_sum
     }
     // Term
     if ($show_taxonomy_terms) {
-      $row[] = drupal_render($form['term'][$vid]);
+      $row[] = filter_xss(drupal_render($form['term'][$vid]));
     }
     // Publication status
     $is_current = ($vid == $node->vid);

Vendor response:

Upgrade to latest version. SA-CONTRIB-2012-018