Drupal OM Maximenu Multiple Vulnerabilities

8 November 2012

Vulnerability Report

Author: Justin C. Klein Keane <justin@madirish.net>

Reported: September 10, 2012

CVE: Requested
OSVDB: 87247

Description of vulnerability:

Drupal (http://drupal.org ) is a robust content management system (CMS) written in PHP and MySQL. The third party OM Maximenu module "can create menus with all other module blocks you want as attachments, modules like views, slideshow, menu, user, nice menus, quicktabs, and custom blocks with tables, lists, images, videos, etc." The OM Maximenu module (https://drupal.org/project/om_maximenu suffers from a number of vulnerabilities, including several arbitrary script injection (XSS) flaws. The module also gives users with permission to "Administer OM Maximenu" the ability to execute arbitrary PHP with no indication of the power of this privilege.

The vulnerabilities described in this report only affect Drupal sites with the OM Maximenu module installed. This report resulted from a superficial review of the OM Maximenu module, other vulnerabilities may, and likely do, exist in this module.

Systems affected:

Drupal 6.26 with OM Maximenu 6.x-1.43 was tested and shown to be vulnerable

Impact:

Users can inject arbitrary HTML (including JavaScript) in order to attack site users, including administrative users. This could allow attackers to perform client side attacks (such as drive by download malware installations), steal user credentials, or compromise other Drupal accounts.

Attackers who gain access to user accounts with "Administer OM Maximenu" permissions can execute arbitrary PHP in the context of the web server, which could allow them to compromise the host operating system, steal sensitive data from the Drupal database, escalate permission, or otherwise damage the site and/or host.

Mitigating factors:

In order to perform any of the above listed malicious activities, attackers must have access to an account with the "Administer OM Maximenu" privileges.

Technical details:

  1. Link titles allow for arbitrary HTML injection
  2. Link titles allow arbitrary PHP if "Title has PHP" in "Title Options" is checked. This functionality is not documented in the permission page, allowing users with "Administer OM Maximenu" to execute PHP
  3. "Path Query" and "Anchor" parameters in links allow for arbitrary script injection.
  4. Maximenu title (?q=admin/settings/om-maximenu) allows for arbitrary script injection
  5. OM Maximenu fails to sanitize vocabulary names before display (?q=admin/settings/om-maximenu/import)

Proof of concept exploits:

  1. Install and enable OM Maximenu module
  2. Add a new menu at ?q=admin/settings/om-maximenu/add
  3. Enter "<script>alert('xss');</script> for the "Menu Title"
  4. Save the menu to view the rendered JavaScript
  1. Install and enable OM Maximenu module
  2. Add a new menu at ?q=admin/settings/om-maximenu/add
  3. Add a new link to the menu at ?q=admin/settings/om-maximenu/1/edit
  4. Enter "<script>alert('xss')</script>" for the "Link Title"
  5. Enable the menu block for display at ?q=admin/build/block
  6. View the rendered JavaScript whenever the menu block is displayed
  1. Install and enable OM Maximenu module
  2. Add a new menu at ?q=admin/settings/om-maximenu/add
  3. Add a new link to the menu at ?q=admin/settings/om-maximenu/1/edit
  4. Enter ""><script>alert('xss');</script><a " for the "Path Query"
  5. Enable the menu block for display at ?q=admin/build/block
  6. View the rendered JavaScript whenever the menu block is displayed
  1. Install and enable OM Maximenu module
  2. Add a new menu at ?q=admin/settings/om-maximenu/add
  3. Add a new link to the menu at ?q=admin/settings/om-maximenu/1/edit
  4. Enter ""><script>alert('xss');</script><a " for the "Anchor"
  5. Enable the menu block for display at ?q=admin/build/block
  6. View the rendered JavaScript whenever the menu block is displayed
  1. Install and enable OM Maximenu module
  2. Enable Taxonomy module
  3. Create a new vocabulary at ?q=admin/content/taxonomy/add/vocabulary
  4. Enter "<script>alert('xss');</script>" for "Vocabulary name" and save
  5. Add a term to the vocabulary at ?q=admin/content/taxonomy/[x]/add/term where [x] is the vocabulary id number
  6. View the rendered JavaScript at ?q=admin/settings/om-maximenu/import

Vendor Response

Vendor released SA-CONTRIB-2012-160 on 7 November, 2012 which recommends upgrading to version 6.x-1.44 or 7.x-1.44 depending on your Drupal version.