Open source software security

Drupal Creative Commons 6.x-1.0 XSS Vulnerability

26 April 2012

Vulnerability Report

Reported: February 13, 2012

CVE: CVE-2012-2297

OSVDB: 81551

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Creative Commons module (https://drupal.org/project/creativecommons) "allows users to select and assign a Creative Commons license to a node and any attached content, or to the entire site. It also provides integration between CC and Drupal technology." The Creative Commons module contains multiple persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize user supplied input before display.

Systems affected:

Drupal 6.22 with Creative Commons 6.x-1.0 was tested and shown to be vulnerable

Impact

Users administering the Creative Commons module can inject arbitrary script that is executed whenever new content of selected types is created or edited, whenever a page with the license is viewed, or whenever Views are administered. This could lead to privilege escalation, account compromise, or other attacks (such as client side exploits).

Mitigating factors:

In order to execute arbitrary script injection malicious users must have the ability to administer the Creative Commons module.

Proof of concept exploit:

  1. Install and enable the Creative Commons module
  2. Navigate to the settings page at ?q=admin/settings/creativecommons/edit
  3. Enter "<script>alert('xss');</script>" for the "Custom message" and save
  4. Apply the module to the Story content type at ?q=admin/settings/creativecommons/types
  5. View the create Story page at ?q=node/add/story to view rendered JavaScript
  1. Install and enable the Creative Commons module
  2. Navigate to the settings page at ?q=admin/settings/creativecommons/default
  3. Check the box to 'Use the default license as a site...'
  4. Enter "<script>alert('xss');</script>" in the 'Additional text:' area
  5. Save the configuration
  6. Move the "Creative Commons Site License" to a visible region at ?q=admin/build/block
  7. Save the block configuration to view the JavaScript alert
  8. This alert can also be viewed in the Views settings page (?q=admin/build/views)

Patch:

The following patches mitigates these vulnerabilities:

$ diff -up creativecommons/creativecommons.module creativecommons.fixed/creativecommons.module 
--- creativecommons/creativecommons.module	2011-03-29 20:57:41.000000000 -0400
+++ creativecommons.fixed/creativecommons.module	2012-02-13 12:48:35.572939780 -0500
@@ -1870,7 +1870,7 @@ function creativecommons_node_form($node
 
   if (variable_get('creativecommons_user_message', '')) {
     // Custom Creative Commons license description
-    $description = variable_get('creativecommons_user_message', '');
+    $description = filter_xss(variable_get('creativecommons_user_message', ''));
   }
   else {

$ diff -up creativecommons/theme/theme.inc creativecommons.fixed/theme/theme.inc 
--- creativecommons/theme/theme.inc	2011-03-29 20:57:41.000000000 -0400
+++ creativecommons.fixed/theme/theme.inc	2012-02-13 12:46:36.846006949 -0500
@@ -18,7 +18,7 @@ function theme_creativecommons_site_lice
 
   // Additional text
   if ($additional_text = variable_get('creativecommons_site_license_additional_text', '')) {
-    $output .= '<br/>'. $additional_text;
+    $output .= '<br/>'. filter_xss($additional_text);
   }
 
   // RDF output

Vendor response:

On 25 April, 2012 the vendor released SA-CONTRIB-2012-062 (https://drupal.org/node/1547520) advising users to upgrade to version 6.x-1.1 or later.