Drupal Data 6.x-1.0 XSS Vulnerability
Vulnerability ReportAuthor: Justin C. Klein Keane <firstname.lastname@example.org>
OSVDB: 79854 Reported: February 8, 2012
Description of Vulnerability:
Drupal (https://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Data module (https://drupal.org/project/data) "helps you model, manage and query related sets of tables. It offers an administration interface and a low level API for manipulating tables and accessing their contents." The Data module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize table names before display.
Drupal 6.22 with Data 6.x-1.0 was tested and shown to be vulnerable
User could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise.
In order to execute arbitrary script injection malicious users must have the ability to administer data tables.
Proof of Concept Exploit:
- Install and enable the Data module
- Create a new table at ?q=admin/build/data/create using "<script>alert('xss');</script>" as the 'Table title'
On 7 March, 2012 vendor released SA-CONTRIB-2012-030 recommending upgrading to Data version 6.x-1.1 or later.