Drupal Core XSS Vulnerabilities
Author: Justin C. Klein Keane
Reported: 7 August, 2013
Description of Vulnerability:
Drupal (https://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. Drupal core suffers from multiple persistent (stored) cross site scripting (XSS, or arbitrary script injection) because the core System module fails to sanitize module names and descriptions provided in module metadata files (identified by their .info extension) before display in some locations.
Drupal 7.22 and 6.28 were tested and shown vulnerable. Other versions are likely affected.
In order to inject arbitrary script malicious attackers must have the ability to manipulate module .info files on a site filesystem, perhaps via permissions misconfiguration, or to manipulate these files in modules before they are deployed to a site, such as with the Features module (https://drupal.org/project/features). It would be quite rare to be able to manipulate a .info file without the ability to manipulate actual PHP code contained in modules. However, malicious script contained in .info files would likely be overlooked in any security audit since these files are assumed to be inert text files, devoid of any scripting, markup, or executable code. It is worth noting that the content of .info files is sanitized for display in some locations, but this treatment is not uniform. Thus the likelihood of an attack via this vector is low, but the impact is extremely high, and the attack would likely escape notice by most automated and manual security countermeasures.
Proof of Concept Exploits:
- Install Drupal 7-22
- Create a new directory in the /sites/all/modules named "evil"
- Create the file evil.info in the /sites/all/modules/evil directory to include the following content:
name = <script>alert('evil name');</script> description = <script>alert('evil desc');</script> core = 7.x package = Other version = 7.x-1.0 project = evil_feature dependencies = system
- Create the file evil.module in the /sites/all/modules/evil directory to include the following contents:
<?php /** * @file * Drupal needs this blank file. */
- Note that the listing of the evil module name under the System module is properly sanitized
The following patch mitigates this vulnerability in Drupal 7:
--- modules/system/system.admin.inc 2013-04-03 17:29:52.000000000 -0400 +++ modules/system/system.admin.inc 2013-08-07 10:47:29.277279676 -0400 @@ -979,10 +979,10 @@ function _system_modules_build_row($info ); // Set the basic properties. $form['name'] = array( - '#markup' => $info['name'], + '#markup' => check_plain($info['name']), ); $form['description'] = array( - '#markup' => t($info['description']), + '#markup' => t("@desc", array('@desc' => $info['description'])), ); $form['version'] = array( '#markup' => $info['version'],
The Drupal Security Team does not consider this vulnerability an issue because they feel that an attacker would never be able to manipulate a .info file without being able to manipulate PHP code found in other files in the same directory. Furthermore, the Drupal Security Team feels this issue is already public (https://drupal.org/node/637538), however the public discussion only concerns the development of the next major release of Drupal - Drupal 8. There is no mention in the public discussion, of the fact that this issue faces both current supported release versions (Drupal 7 and Drupal 6) and likely previous releases.