Drupal Service Links 6.x-1.0 XSS Vulnerability

30 November -0001

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Service links module (http://drupal.org/project/service_links) "enables admins to add links to a number of social bookmarking sites, blog search sites etc. "

The Service Links module contains a cross site scripting vulnerability because it does not properly sanitize output of content type names before display.

Systems affected:

Drupal 6.14 with Service links 6.x-1.0 was tested and shown to be vulnerable.


XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.

Mitigating factors:

The Service links module must be installed. To carry out a Service links based XSS exploit the attacker must have 'administer content types' permissions.

Proof of Concept:

  1. Install Drupal 6.14
  2. Install Service links 6.x-1.0
  3. Enable the Service links module from Administer -> Site building -> Modules
  4. Create a new Content type from Administer -> Content management -> Content types and click 'Add content type'
  5. For the 'name' field enter <script>alert('xss');</script> and save the content type
  6. Click Administer -> Site configuration -> Service links to trigger the JavaScript

Technical details:

The Service links module fails to sanitize the output of the content type names before display. Applying the following patch fixes this vulnerability.


Applying the following patch mitigates these threats.

--- service_links/service_links.module	2008-02-26 12:01:27.000000000 -0500
+++ service_links/service_links.module	2009-10-02 06:33:21.000000000 -0400
@@ -35,11 +35,12 @@ function service_links_admin_settings() 
     '#title' => t('Where to show the service links'),
     '#description' => t('Set the node types and categories you want to display links for.'),
+  $names = array_map('filter_xss', node_get_types('names'));
   $form['where_to_show_the_links']['service_links_node_types'] = array(
     '#type' => 'checkboxes',
     '#title' => t('Node types'),
     '#default_value' => variable_get('service_links_node_types', array()),
-    '#options' => node_get_types('names'),
+    '#options' => $names,
   if (module_exists('taxonomy')) {
     $form['where_to_show_the_links']['service_links_category_types'] = array(