Drupal Multiblock 6.x-1.3 XSS Vulnerability
Description of Vulnerability:
CVE: CVE-2012-2070
OSVDB: 80673
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Mulitblock module (https://drupal.org/project/multiblock) contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize block descriptions names before display.
Systems affected:
Drupal 6.22 with Multiblock 6.x-1.3 was tested and shown to be vulnerable
Impact
User could inject arbitrary scripts into pages affecting site users. This could result attackers taking control of site user web browsers or other client side attacks.
Mitigating factors:
In order to execute arbitrary script injection malicious users must have the ability to administer blocks.
Proof of concept exploit:
- Install and enable the Multiblock module
- Create a new block at ?q=admin/build/block/add, enter "<script>alert('xss');</script> for the description
- Create a new instance at ?q=admin/build/block/instances, select the block from #2 in the 'Block type' drop down
- Save the instance to view the persistent JavaScript at ?q=admin/build/block/instances
Vendor response:
SA-CONTRIB-2012-043 - MultiBlock - Cross Site Scripting (https://drupal.org/node/1506390) recommends upgrading to MutiBlock module 6.x-1.4, 7.x-1.1 or later.