Drupal 5.20 and 6.14 (Core) XSS Vulnerabilities

30 November -0001

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules.

Drupal 5.20 and 6.14 fail to properly filter the 'Site name' and 'Site slogan' variables before display in the HTML headers of the page display.

Systems affected:

Drupal 5.20 and Drupal 6.14 were tested and shown to be vulnerable.

Impact:

XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.

Mitigating factors:

To carry out a the cross site scripting attack detailed below the attacker must have 'administer site configuration' permissions.

Proof of Concept:

  1. install Drupal
  2. Change the site name via Administer -> Site configuration -> Site Information
  3. Enter '</title><script>alert('xss');</script>' for the 'Name' value
  4. Enter '<script>alert('xss');</script>' for the 'Slogan' value
  5. Click the 'Save configuration' button to view the site name rendered JavaScript.
  6. Browse to the site homepage to view the site slogan rendered JavaScript

Technical details:

Drupal fails to sanitize the output of the site name in the HTML title tag, if the site name contains a closing title tag (i.e. "") this will interrupt the HTML rendering in most browsers, allowing attackers to inject JavaScript. Although in many cases the JavaScript is properly escaped during the site name display, if sites use a template that obfuscates this display (such as those that use an image layer and CSS to hide the actual text of the site name) there may be no indication that an attack is occurring. This vulnerability also affects the 'Site slogan' value during the homepage display.

The source of this vulnerability in Drupal 5.20 is the failure to sanitize output of the variable_get('site_name', 'Drupal) call on line 204 of themes/engines/phptemplate.engine. Similarly output is not sanitized on lines 207 and 209.

The source of this vulnerability in Drupal 6.14 is the failure to sanitize output of the variable_get('site_name', 'Drupal) call on lines 1799 and 1802 of includes/theme.inc. Similaraly output of the site slogan is not sanitized on line 1804.

Patch for Drupal 5.20

Applying the following patch mitigates these threats in Drupal 5.20.

--- themes/engines/phptemplate/phptemplate.engine   2009-05-13 12:36:22.000000000 -0400
+++ themes/engines/phptemplate/phptemplate.engine     2009-10-09 13:35:56.167099573 -0400
@@ -201,12 +201,12 @@ function phptemplate_page($content, $sho
   }
   // Construct page title
   if (drupal_get_title()) {
-    $head_title = array(strip_tags(drupal_get_title()), variable_get('site_name', 'Drupal'));
+    $head_title = array(strip_tags(drupal_get_title()), strip_tags(variable_get('site_name', 'Drupal')));
   }
   else {
-    $head_title = array(variable_get('site_name', 'Drupal'));
+    $head_title = array(strip_tags(variable_get('site_name', 'Drupal')));
     if (variable_get('site_slogan', '')) {
-      $head_title[] = variable_get('site_slogan', '');
+      $head_title[] = strip_tags(variable_get('site_slogan', ''));
     }
   }

Patch for Drupal 6.14

Applying the following patch mitigates these threats in Drupal 6.14.

--- includes/theme.inc      2009-06-18 08:04:04.000000000 -0400
+++ includes/theme.inc        2009-10-09 13:42:40.523125334 -0400
@@ -1796,12 +1796,12 @@ function template_preprocess_page(&$vari
 
   // Construct page title
   if (drupal_get_title()) {
-    $head_title = array(strip_tags(drupal_get_title()), variable_get('site_name', 'Drupal'));
+    $head_title = array(strip_tags(drupal_get_title()), strip_tags(variable_get('site_name', 'Drupal')));
   }
   else {
-    $head_title = array(variable_get('site_name', 'Drupal'));
+    $head_title = array(strip_tags(variable_get('site_name', 'Drupal')));
     if (variable_get('site_slogan', '')) {
-      $head_title[] = variable_get('site_slogan', '');
+      $head_title[] = strip_tags(variable_get('site_slogan', ''));
     }
   }
   $variables['head_title']        = implode(' | ', $head_title);

Vendor Response

Vendor has responded that "Users with the "administer site configuration permission" can do everything on the site, including executing code. We do not consider this a vulnerability. It is a display bug however."