Open source software security

Drupal Hotblocks Module XSS and DoS Vulnerabilities

15 August 2012

Vulnerability Report

Author: Justin C. Klein Keane <justin@madirish.net>
Reported: August 6, 2012
CVE: CVE-2012-5705 and CVE-2012-5704
OSVDB: 84750

Description of Vulnerability:

The Drupal HotBlocks module (https://drupal.org/project/hotblocks) contains a persistent cross site scripting (XSS), or arbitrary script injection, vulnerability due to the fact that it fails to sanitize user supplied data before display. The HotBlocks module also suffers from a denial of service vulnerability due a user triggered infinite recursion. The HotBlocks module provides a host of functions that allow users to manipulate nodes or blocks inline.

Systems affected:

Drupal 6.26 with HotBlocks 6.x-1.7 was tested and shown to be vulnerable.

Impact

Users can inject arbitrary HTML (including JavaScript) in order to attack site users, including administrative users. This could lead to account compromise, which could in turn lead to web server compromise, or expose administrative users to client side malware attacks.

Malicious users could crash a Drupal site exploiting the Denial of Service vulnerability.

Mitigating factors:

In order to inject arbitrary script malicious users must have the ability "administer hotblocks".

XSS Exploit:

  1. Install and enable the HotBlocks module
  2. Navigate the Hotblocks setting page at ?q=admin/settings/hotblocks
  3. Change Block #1 Name to "<script>alert('xss');</script>"
  4. View the rendered Javascript at ?q=admin/content/hotblocks

Denial of Service Exploit:

  1. Install and enable the HotBlocks module
  2. Navigate the Hotblocks setting page at ?q=admin/settings/hotblocks
  3. Change Block #1 Name to "<script>alert('xss');</script>"
  4. Change "Term for hotblocks item:" to "hotblock item <script>alert('hotblock term');</script>"
  5. Change "Term for hotblocks items:" to "hotblock item <script>alert('hotblock terms');</script>"
  6. Save configuration
  7. Go to Block admin at ?q=admin/build/block
  8. Drag the Block #1 to the left sidebar and 'Save'
  9. Return to the home page.
  10. Click the 'Put a hotblock here' icon in the left sidebar and click the malicious name. This points to a link such as hotblocks/assign/11/1?destination=node&path=node&systemtype=block&token=343d600c37a2ed557df7cd22a0010352
  11. Refresh the page - WSOD, error logs indicate something like:

[Mon Aug 06 15:42:37 2012] [notice] child pid 4559 exit signal Segmentation fault (11)
or
[Mon Aug 06 15:22:29 2012] [error] [client 10.10.0.1] PHP Fatal error: Maximum execution time of 30 seconds exceeded in /var/www/html/drupal-6.26/includes/bootstrap.inc on line 860, referer: http://10.10.0.101/drupal/

Vendor Response

Vendor released SA-CONTRIB-2012-126 on 15 August, 2012 which recommends upgrade to the latest version of Hotblocks >= 6.x-1.8