Drupal Inf08 Theme XSS Vulnerability

1 November 2012

Vulnerability Report

Author: Justin C. Klein Keane <justin@madirish.net>
Reported: 4 September, 2012

CVE: Requested
OSVDB: 85422

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. Drupal appearance is customized using packaged themes. The third party Inf08 theme (https://drupal.org/project/inf08) contains an arbitrary script injection vulnerability (XSS) due to the fact that it fails to sanitize user supplied taxonomy elements before display.

Systems affected:

Drupal 6.24 with Inf08 6.x-1.9 was tested and shown to be vulnerable

Impact

Users can inject arbitray HTML (including JavaScript) in order to attack site users, including administrative users. This could lead to account compromise, which could in turn lead to web server compromise, or expose users to client side malware attacks.

Mitigating factors:

In order to inject arbitrary script malicious users must have the ability "administer taxonomy" permission to exploit this vulnerability.

Proof of Concept Exploits:

  1. Install and enable the Inf08 theme
  2. Create a new vocabulary at ?q=admin/content/taxonomy/add/vocabulary with the name "<script>alert('xss');</script>"
  3. Apply the vocuabulary to the 'Story' content type and save the vocabulary
  4. Create a new story at ?q=node/add/story, being sure to add a term from the newly created vocabulary
  5. Save the story and view any page the story is displayed to trigger the injected code.

Patch:

The following patch mitigates these vulnerabilities.

--- template.php	2012-09-04 11:17:12.683228986 -0400
+++ template.php.fixed	2012-09-04 11:17:00.744792225 -0400
@@ -157,7 +157,7 @@ function phptemplate_preprocess_node(&$v
 
       if ($terms) {
         if ($vocabulary->vid != $category_setting) {
-          $output .= '<li class="vocab vocab-'. $vocabulary->vid .'"><span class="vocab-name">'. $vocabulary->name .':</span> <span class="vocab-list">';
+          $output .= '<li class="vocab vocab-'. $vocabulary->vid .'"><span class="vocab-name">'. check_plain($vocabulary->name) .':</span> <span class="vocab-list">';
           $links = array();
 
           foreach ($terms as $term) {

Vendor Response

SA-CONTRIB-2012-140 - Inf08 - Cross Site Scripting (XSS) - upgrade to the latest version of Inf08.