-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules.  The CCK module (http://drupal.org/project/cck)
"allows you to add custom fields to nodes using a web browser."

The CCK module version 5.x-1.10 contains a cross site scripting
vulnerability because it does not properly sanitize output of group
labels before display.

Systems affected:
- - - - -----------------
Drupal 5.19 with CCK 5.x-1.10 was tested and shown to be vulnerable.

Impact:
- - - - -------
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.

Mitigating factors:
- - - - -------------------
The CCK module must be installed.  To carry out a CCK based XSS exploit
the attacker must have 'administer content types' permission.

Proof of Concept:
- - - ---------------------
1.  Install Drupal 5
2.  Install CCK 5.x-1.10
3.  Enable the CCK module from Administer -> Site building -> Modules
and enable all CCK modules
4.  From Administer -> Content management -> Content types and click the
'edit' link next to the 'Page' content type
5.  Click the 'Add group' tab at the top
6.  Enter "<script>alert('xss');</script>" as the label and save the
group by clicking the 'Add' button at the bottom of the form
7.  On form submission you ill be redirected to
/?q=admin/content/types/page/fields and the JavaScript will be rendered
and execute three times.

Technical details:
- - - ------------------------
The CCK module fails to sanitize the output of the CCK group label
before display on lines 248 and 285 of content_admin.inc.  Applying the
following patch fixes this vulnerability.

Patch
- - - -------
Applying the following patch mitigates these threats.

$ diff -up cck/content_admin.inc cck_fixed/content_admin.inc
- - --- cck/content_admin.inc       2008-09-03 09:45:05.000000000 -0400
+++ cck_fixed/content_admin.inc 2009-10-01 15:35:04.364195774 -0400
@@ -245,7 +245,7 @@ function theme_content_admin_field_overv
               $row[] = drupal_render($form['field-groups'][$fname]);
               break;
             default:
- - -              $row[] = array('data' => $cell, 'class' => $class);
+              $row[] = array('data' => filter_xss($cell), 'class' =>
$class);
             }
           }

@@ -282,7 +282,7 @@ function theme_content_admin_field_overv

             // add the group row in its own table above the group
fields table, then reset $row().
             $fieldset = array(
- - -              '#title' => t('!label (!name)', array('!label' =>
$form['#group_labels'][$fname], '!name' => $fname)),
+              '#title' => t('!label (!name)', array('!label' =>
filter_xss($form['#group_labels'][$fname]), '!name' => $fname)),
               '#collapsible' => TRUE,
               '#collapsed' => FALSE,
               '#value' => theme('table', array(), array(array('data' =>
$row, 'class' => 'content-field-overview-group'))) . theme('table',
$header, $grows),

Vendor Response
- ---------------
Vendor replies that because the vulnerability requires "administer
content types" privilege to exploit, they will not release a security
announcement.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org

iPwEAQECAAYFAkrFbIUACgkQkSlsbLsN1gD9uAcAkpzYFoh1Z+cE6VQlAuuHRYtT
yF/PlmeWdrosXEVGe7ELJw5tv1EbbopeUlIU3D9tH0tftU4Jt1ptTR8j7WMBPQ9E
DeY3wDawxlrkeKmtLtyP9Wq3nZmJARb4518Cx0hMoyt4SIVWpJvgk6AenumpEKO2
DHyTCVyQ7EEWmui1L4eDIIJz4JG4JMJxRK/VZkZhg0ikVIfpE8YP1OvhJjpYo1v5
dH/RP/5sks3Lj9I4zHE1XImeLQRsgBvSPC8PmrPJ+D4g8T1Uw8zkGfYCUhrCFeFC
1OttfJI6m/J4tWxwTPE=
=aG9O
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Reply via email to