Drupal Wishlist 6.x-2.4 XSS Vulnerability

21 March 2012

Vulnerability Report

Author: Justin C. Klein Keane <justin@madirish.net>
CVE: CVE-2012-2069
OSVDB: 80282

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Wish List module (https://drupal.org/project/wishlist) "Allows authorized users to submit wishlist nodes to your web site which describe items they would like for a special occasion." The Wish List module contains a cross site scripting vulnerability due to the fact that unchecked URL variables are used to render JavaScript actions on site pages.

Systems affected:

Drupal 6.22 with Wish List 6.x-2.4 was tested and shown to be vulnerable


Users viewing pages with maliciously crafted URL's are subject to JavaScript execution controlled by an attacker. This can be used to perform reflected cross site scripting (XSS) or cross site request forgery (XSRF). User account credentials could be exposed or compromised, or users could be redirected to sites designed for phishing or hosting malware.

Mitigating factors:

In order to exploit this vulnerability site users must be tricked into visiting a specific link and then manipulating the show/hide purchase details drop down. This drop down is only rendered if the user is viewing their own Wish List and the module is configured to hide the purchased status from them.

Proof of Concept Exploit:

  1. Install and enable the Wish List module
  2. Configure the Wish List to 'Hide the purchase information from the user' at ?q=admin/settings/wishlist
  3. Allow non-admin users to create/view wish lists and 'reveal purchase status' at ?q=admin/user/permissions
  4. Log in as a regular user and create a wish list at ?q=node/add/wishlist
  5. View the Wish List at ?q=node/X/';alert('xss');var foo=' where X is the Wish List node id
  6. Manipulate the 'Show purchase details' drop down to execute the JavaScript alert

Vendor Response:

Upgrade to the latest version of the module SA-CONTRIB-2012-042.