Drupal Wishlist 6.x-2.4 XSS Vulnerability
Vulnerability ReportAuthor: Justin C. Klein Keane <firstname.lastname@example.org>
Description of Vulnerability:
Drupal 6.22 with Wish List 6.x-2.4 was tested and shown to be vulnerable
In order to exploit this vulnerability site users must be tricked into visiting a specific link and then manipulating the show/hide purchase details drop down. This drop down is only rendered if the user is viewing their own Wish List and the module is configured to hide the purchased status from them.
Proof of Concept Exploit:
- Install and enable the Wish List module
- Configure the Wish List to 'Hide the purchase information from the user' at ?q=admin/settings/wishlist
- Allow non-admin users to create/view wish lists and 'reveal purchase status' at ?q=admin/user/permissions
- Log in as a regular user and create a wish list at ?q=node/add/wishlist
- View the Wish List at ?q=node/X/';alert('xss');var foo=' where X is the Wish List node id
Upgrade to the latest version of the module SA-CONTRIB-2012-042.