SecurityvulnsSECURITYVULNS:DOC:22213[Full-disclosure] Drupal 6 Date/Calendar XSS Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vulnerability Report
Date of Original Vendor Contact: May 19, 2009 11:45 GMT -0400
Report Number: 8890
Author: Justin C. Klein Keane <[email protected]>
Details of this vulnerability are also posted at the public URL
http://lampsecurity.org/drupal-date-xss-vulnerability
Description of Vulnerability
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules. The Date and Calendar modules
(http://drupal.org/project/date, http://drupal.org/project/calendar)
provides functionality for constructing views based on dates for
calendar type displays. The Calendar module suffers from a cross site
scripting (XSS) vulnerability due to the fact that it does not properly
sanitize names during display.
Systems affected:
Drupal 6.12 with Date 6.x-2.2, Calendar 6.x-2.1 and Views 6.x-2.6 was
tested and shown to be vulnerable
Impact
Authenticated users can exploit this vulnerability to escalate privilege
and take control of the web server process.
Mitigating factors:
Attacker must have 'use date tools' permissions in order to exploit this
vulnerability. Permissions to 'administer views' are required to be
affected by the XSS (otherwise injected code results on pages to which
the user is denied access).
Proof of concept:
- Install Drupal 6.12.
- Install Views, Date, and Calendar and enable all functionality
through Administer -> Modules - Click Administer -> Content management -> Date Tools
- Click 'Date wizard' to create a new content type
- Enter "<script>alert('xss');</script> in the "Content type label"
textarea - Enter arbitrary data in other fields
- Click 'save' to view JavaScript alert
Alternatively this XSS can also be triggered by viewing content type:
- Click Administer -> Content management -> Date tools
- Click the 'calendar_date' link next to the new content type
- Observe JavaScript alert
Alternatively this XSS can also be triggered by editing the new view
from Administer -> Site building -> Views and clicking 'Edit' next to
the new 'calendar_date' view.
Timeline:
05-19-09 Drupal security notified of vulnerability
05-21-09 Drupal security acknowledges vulnerability, advises June 3 fix
06-02-09 Drupal security advises module maintainer asks for extension,
advise June 10 fix
06-10-09 Drupal security advises revised fix schedule
07-23-09 ORIGINATOR advises over a month has passed without update and
that disclosure will be made within 24 hours unless circumstances have
changed. ORIGINATOR receives no response.
07-24-09 Public disclosure
Patch
In order to mitigate this vulnerability apply the following patch:
- — calendar/includes/calendar_plugin_display_page.inc 2009-01-10
15:04:17.000000000 -0500
+++ calendar/includes/calendar_plugin_display_page.inc 2009-07-24
08:55:23.234846590 -0400
@@ -107,7 +107,7 @@ class calendar_plugin_display_page exten
$options['calendar_date_link'] = array(
'category' => 'calendar_settings',
'title' => t('Add new date link'), -
-
'value' => !empty($default) ? node_get_types('name', $default)
-
: '',
-
'value' => !empty($default) ? check_plain(node_get_types('name',
$default)) : '',
);
}
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org
iQD1AwUBSmm1bZEpbGy7DdYAAQKPIgb+O9ptCtRsCVvOTBfqZmMYClds1CHtBDWq
wdvEYiK6tsuVIcU6rEFjgGnrIEYz3mGTjxtIrdi9Y6YMfBKOX3TsjPt0SfjD3EwM
PLn40cRITh1vOXyvxqUZYDeOwh/3hdOZ1ecGG7vcpcClcc+dcIjrZxLzFy+qkClE
1JxkRIY8xrYMUM1uwBOvbx9n8C40RPhJJuqlrl3g44BLtkCjKuHL0DjGXeuJRRRB
AS4fI2YjwSHJv8I8KqiBy25tJgtCXxoSS81Wk6uXshlbgk4kfUP/MXtYQA/m+5SV
2tBY5Bn5qx8=
=h7na
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/