Drupal Mobile Tools 6.x-2.3 XSS
30 May 2012
Description of Vulnerability:Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Mobile Tools module (https://drupal.org/project/mobile_tools) "provides Drupal developers with some tools to assist in making a site mobile." The Mobile Tools module contains several persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize user supplied values before display.
Systems affected:Drupal 6.24 with Mobile Tools 6.x-2.3 was tested and shown to be vulnerable
ImpactUsers could be subject to account compromise, client side attack, or other vulnerabilities due to arbitrary script execution.
Mitigating factors:In order to execute arbitrary script injection malicious users must have the ability to administer mobile tools.
Proof of Concept Exploit:
- Install and enable the Mobile Tools modules
- Enable the 'Mobile Tools message block' from ?q=admin/build/block
- Navigate to the Mobile Tools administration page at ?q=admin/settings/mobile-tools
- Under 'General configuration' for the 'Mobile URL' and 'Desktop URL' insert the following text, including double quotes:
- In the 'Mobile Tools block message options' append the text "<script>alert('xss');</script>" to the message