Drupal Data 6.x-1.0 XSS Vulnerability

7 March 2012

Vulnerability Report

Author: Justin C. Klein Keane <justin@madirish.net>
CVE: CVE-2012-1654
OSVDB: 79854

Reported: February 8, 2012

Description of Vulnerability:

Drupal (https://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Data module (https://drupal.org/project/data) "helps you model, manage and query related sets of tables. It offers an administration interface and a low level API for manipulating tables and accessing their contents." The Data module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize table names before display.

Systems affected:

Drupal 6.22 with Data 6.x-1.0 was tested and shown to be vulnerable

Impact

User could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise.

Mitigating factors:

In order to execute arbitrary script injection malicious users must have the ability to administer data tables.

Proof of Concept Exploit:

  1. Install and enable the Data module
  2. Create a new table at ?q=admin/build/data/create using "<script>alert('xss');</script>" as the 'Table title'
  3. View the rendered JavaScript alert at ?q=admin/content/data
  4. JavaScript also renders through the Views module at ?q=admin/build/views/edit/X where X is the table name from step 2

Vendor Response

On 7 March, 2012 vendor released SA-CONTRIB-2012-030 recommending upgrading to Data version 6.x-1.1 or later.