Drupal Ctools/Panels XSS Vulnerability

15 November 2012

Vulnerability Report

Author: Justin C. Klein Keane <justin@madirish.net>

Reported: October 31, 2012

CVE: None assigned yet
OSVDB: None assigned yet

Description of Vulnerability

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. Ctools (https://drupal.org/project/ctools) is a third party Drupal module serving as a "set of APIs and tools to improve the developer experience." The Panels module (https://drupal.org/project/panels) is a third party module, reported use on over 100,000 sites. "The Panels module allows a site administrator to create customized layouts for multiple uses. At its core it is a drag and drop content manager that lets you visually design a layout and place content within that layout." The Drupal Panels module, which depends on Ctools, manifests a persistent cross site scripting (XSS) vulnerability due to the fact that Ctools fails to sanitize node titles before display in node views handled by the Ctools page manager plugin.

Systems affected:

Drupal 6.26 with Ctools 6.x-1.9 and Panels 6.x-3.10 was tested and shown to be vulnerable

Impact:

Users can inject arbitrary HTML (including JavaScript) in order to attack site users, including administrative users. This could lead to account compromise, which could in turn lead to web server compromise, or expose administrative users to client side malware attacks. (Ref: http://www.madirish.net/548)

Mitigating factors:

In order to inject arbitrary script malicious users must have the ability create node content. Additionally the Panels module must be configured to override the default display of affected node types.

Proof of Concept Exploit:

Install Drupal 6.26
Enabled modules and versions:

  • Administration menu 6.x-1.8
  • Content 6.x-2.9
  • Ctools 6.x-1.9
  • Page Manager 6.x-1.9
  • Color 6.26
  • Comment 6.26
  • Database logging 6.26
  • Help 6.26
  • Menu 6.26
  • Taxonomy 6.26
  • Update Status 6.26
  • Panels Nodes 6.x-3.10
  • Panels 6.x-3.10
  1. Create a new story with some JavaScript in the title
  2. Go to ?q=admin/build/pages/edit/node_view
  3. Click 'Add new variant'
  4. Enter arbitrary 'Title' leave drop down to 'Panel' and check 'Selection rules' and 'Contexts' then click 'Create variant'
  5. Change drop down to 'Node: type' and click 'Add'
  6. In modal pop-up check 'Story' and click 'Save'
  7. Ensure 'All criteria must be passed' is radio is selected and click 'Continue'
  8. Ensure No contexts or relationships are being defined, so that the summary of contexts is simply:

    Argument 1 Node being viewed
    Keyword: %node
    %node:uid --> Author UID
    %node:nid --> Node ID
    %node:vid --> Node revision ID
    %node:title --> Node title
    %node:type --> Node type
  9. Click 'Continue'
  10. Select 'Columns: 1' from Category, select only radio button and click 'Continue'
  11. Enter an arbitrary admin title, do not check the 'Disable Drupal blocks/regions', make sure the 'Standard' renderer radio button is selected, no 'CSS ID' or 'CSS code' are provided' and click 'Continue'
  12. Leave the 'Title type' to 'Manually set' and the 'Title:' field empty then click 'Create variant'
  13. Click 'Save'
  14. View the node at ?q=node/5 (or whatever the nid from step 1 is) to see the JavaScript

Vendor Response

SA-CONTRIB-2012-165 was released on November 14, 2012. Upgrading to Ctools versions 6.x-1.10 or later will address the vulnerabilities in this report.