Drupal Answers 5.x-1.x-dev XSS Vulnerability

30 November -0001


Drupal is a robust content management system (CMS) that provides extensibility through hundreds of third party modules. Whiel the security of Drupal core modules is vetted by a central security team, third party modules are not reviewed for security.

The Drupal Answers module, created by "Drupal experts" TickleSpace (http://ticklespace.com/) is designed to allow users to create "quests" in the form of questions. Users are then allowed to post answers to these quests. However, the answers submitted by users are not properly sanitized, leading to cross site scripting vulnerabilities. When a user posts a Simple Answer, using the link provided in nodes that are questions, the data entered in the "Answer:" text area is not validated. Users can enter malicious javascript or other data. In a default configuration this data is then rendered on the front page of the Drupal installation, subjecting users to a cross site scripting attack.

Vulnerable Versions

5.x-1.1-dev, dated 2008-May-22 was tested and shown vulnerable.

Testing for Vulnerability

Entering a value of "<script>alert('foo');</script>" as an answer will cause an alert box with the text "foo" to appear whenever the answer is displayed.

Determining Version

The answers.info page for vulnerable versions displays the following information:

; $Id: answers.info,v 1.1 2008/01/09 05:12:23 amanuel Exp $
name = Questions
description =  Allows users track their questions.
package = "Answers"
; Information added by drupal.org packaging script on 2008-05-22
version = "5.x-1.x-dev"
project = "answers"
datestamp = "1211414452"

Determining version information on Drupal sites is trivial in many cases (ref http://www.madirish.net/?article=214).