Drupal CCK 5.x-1.10 XSS Vulnerability

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The CCK module (http://drupal.org/project/cck) "allows you to add custom fields to nodes using a web browser."

The CCK module version 5.x-1.10 contains a cross site scripting vulnerability because it does not properly sanitize output of group labels before display.

Systems affected:

Drupal 5.19 with CCK 5.x-1.10 was tested and shown to be vulnerable.

Impact:

XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.

Mitigating factors:

The CCK module must be installed. To carry out a CCK based XSS exploit the attacker must have 'administer content types' permission.

Proof of Concept:

1. Install Drupal 5
2. Install CCK 5.x-1.10
3. Enable the CCK module from Administer -> Site building -> Modules and enable all CCK modules
4. From Administer -> Content management -> Content types and click the 'edit' link next to the 'Page' content type
5. Click the 'Add group' tab at the top
6. Enter <script>alert('xss');</script> as the label and save the group by clicking the 'Add' button at the bottom of the form
7. On form submission you ill be redirected to /?q=admin/content/types/page/fields and the JavaScript will be rendered and execute three times.

Technical details:

The CCK module fails to sanitize the output of the CCK group label before display on lines 248 and 285 of content_admin.inc. Applying the following patch fixes this vulnerability.

Patch

Applying the following patch mitigates these threats.

$ diff -up cck/content_admin.inc cck_fixed/content_admin.inc 
--- cck/content_admin.inc       2008-09-03 09:45:05.000000000 -0400
+++ cck_fixed/content_admin.inc 2009-10-01 15:35:04.364195774 -0400
@@ -245,7 +245,7 @@ function theme_content_admin_field_overv
               $row[] = drupal_render($form['field-groups'][$fname]);
               break;
             default:
-              $row[] = array('data' => $cell, 'class' => $class);
+              $row[] = array('data' => filter_xss($cell), 'class' => $class);
             }
           }
 
@@ -282,7 +282,7 @@ function theme_content_admin_field_overv
 
             // add the group row in its own table above the group fields table, then reset $row().
             $fieldset = array(
-              '#title' => t('!label (!name)', array('!label' => $form['#group_labels'][$fname], '!name' => $fname)),
+              '#title' => t('!label (!name)', array('!label' => filter_xss($form['#group_labels'][$fname]), '!name' => $fname)),
               '#collapsible' => TRUE,
               '#collapsed' => FALSE,
               '#value' => theme('table', array(), array(array('data' => $row, 'class' => 'content-field-overview-group'))) . theme('table', $header, $grows),

Vendor Response

Vendor replies that because the vulnerability requires "administer content types" privilege to exploit, they will not release a security announcement.