Drupal Mobile Tools 6.x-2.3 XSS
30 May 2012
Description of Vulnerability:
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Mobile Tools module (https://drupal.org/project/mobile_tools) "provides Drupal developers with some tools to assist in making a site mobile." The Mobile Tools module contains several persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize user supplied values before display.Systems affected:
Drupal 6.24 with Mobile Tools 6.x-2.3 was tested and shown to be vulnerableImpact
Users could be subject to account compromise, client side attack, or other vulnerabilities due to arbitrary script execution.Mitigating factors:
In order to execute arbitrary script injection malicious users must have the ability to administer mobile tools.Proof of Concept Exploit:
- Install and enable the Mobile Tools modules
- Enable the 'Mobile Tools message block' from ?q=admin/build/block
- Navigate to the Mobile Tools administration page at ?q=admin/settings/mobile-tools
- Under 'General configuration' for the 'Mobile URL' and 'Desktop URL' insert the following text, including double quotes:
" onmouseover="javascript:alert('url xss');" id=" - In the 'Mobile Tools block message options' append the text "<script>alert('xss');</script>" to the message
- Save the configuration to view the javascript alert from step 5.
- Mouse over the text in the block from step 2 to view the Javascript injected in step 4