Drupal Biblio Module 6.x-1.5 XSS Vulnerability
Description of Vulnerability:
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Biblio module (http://drupal.org/project/biblio) "allows users manage and display lists of scholarly publications." The Biblio module creates customized views in order to display these listings.
The Biblio module contains a cross site scripting vulnerability because it does not properly sanitize output of titles before display.
Systems affected:
Drupal 6.13 with Biblio 6.x-1.5 was tested and shown to be vulnerable.
Impact:
Cross site scripting (XSS) vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.
Mitigating factors:
The Biblio module must be installed. To carry out a Biblio based XSS exploit against the module the attacker must be able to inject malicious content into Biblio titles which requires the 'create biblio' permission.
Technical details:
The Biblio module fails to sanitize the output of the title of the Biblio on line 203 of biblio/biblio_theme.inc before display. Applying the patch below fixes this vulnerability.
Patch
Applying the following patch mitigates these threats.
--- biblio/biblio_theme.inc 2009-06-05 22:14:24.000000000 -0400
+++ biblio/biblio_theme.inc 2009-07-22 11:46:48.885831673 -0400
@@ -200,7 +200,7 @@ function theme_biblio_tabular($node, $ba
$fields = _biblio_get_field_information($node->biblio_type, TRUE);
$rows[] = array(
array('data' => t('Title'), 'class' => 'biblio-row-title'),
- array('data' => $node->title)
+ array('data' => check_plain($node->title))
);
$rows[] = array(
array('data' => t('Publication Type'), 'class' => 'biblio-row-title'),