Drupal Taxonomy Theme 5.x-1.1 XSS Vulnerability

30 November -0001

Version Tested: Taxonomy Theme 5.x-1.1, Drupal 5.15

Module maintainer and Drupal security team notified

"The taxonomy_theme module allows you to change the theme of a given node based on the taxonomy term, vocabulary or nodetype of that node. You can also theme your forums and map themes to Drupal paths or path aliases directly." The module contains a Cross Site Scripting (XSS) vulnerability that can allow users with 'administer taxonomy' privileges to expose users of the Taxonomy Theme module to XSS attacks.

Executing the Attack:

  1. Enable the Drupal core Taxonomy module
  2. Create a new vocabulary by clicking Administer -> Content Management -> Categories.
  3. Click the 'Add Vocabulary' link
  4. For the 'Vocabulary name' enter <script>alert('xss');</script>, fill in arbitrary values for all other fields
  5. Click on Administer -> Site configuration -> Taxonomy Theme, then click the 'Taxonomy' link to trigger the JavaScript.

Technical Details:

This flaw exists do to a lack of output checking in the taxonomy_theme_admin_table_builder() function. Specifically, on line 388 of taxonomy_theme_admin.inc, which reads:

$form['table'][$item->$data['key']]['title'] = array('#value' => $item->name);

Should use check_plain() or similar sanitation function on the $item->name value like so:

$form['table'][$item->$data['key']]['title'] = array('#value' => check_plain($item->name));

Solution

Upgrade to the latest version of the Taxonomy Theme module.