Drupal Custom Publishing Options XSS Vulnerability

30 May 2012

Vulnerability Report

Reported Jan 3, 2012

CVE: CVE-2012-4496

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Custom Publishing Options module (https://drupal.org/project/custom_pub) contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize format names before display.

Systems affected:

Drupal 6.22 with Custom Publishing Options 6.x-1.4 was tested and shown to be vulnerable

Impact

User could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise.

Mitigating factors:

In order to execute arbitrary script injection malicious users must have 'Administer nodes' permission.

Proof of Concept Exploit:

  1. Install and enable the Custom Publishing Options module
  2. Add a new label at ?q=admin/content/custom_pub inserting arbitrary HTML in the 'Publishing label' field.
  3. Save the label to view the rendered script or view it on the create content page for the appropriate content type.

Vendor Response

After the vulnerability was publicly disclosed at this site on 30 May, 2012 (http://www.madirish.net/538) and the vendor was notified of the disclosure, work commenced that resulted in SA-CONTRIB-2012-127 on 15 August 2012 recommending upgrading to versions 6.x-1.4 or later.