Drupal Answers Module 5.x-1.x-dev XSS Vulnerability

30 November -0001

Description

Drupal is a robust content management system (CMS) that provides extensibility through hundreds of third party modules. While the security of Drupal core modules is vetted by a central security team, third party modules are not reviewed for security.

The Answers module (http://drupal.org/project/answers), created by "Drupal experts" TickleSpace (http://ticklespace.com/) is designed to allow users to create "quests" in the form of questions. Users are then allowed to post answers to these quests. However, the answers submitted by users are not properly sanitized, leading to cross site scripting vulnerabilities. When a user posts a Simple Answer, using the link provided in nodes that are questions, the data entered in the "Answer:" text area is not sanitized for display. Users can enter malicious javascript or other data. In a default configuration this data is then rendered on the front page of the Drupal installation, subjecting users to a cross site scripting attack.

Vulnerable Versions

5.x-1.x-dev, dated 2008-May-22 was tested and shown vulnerable.

Testing for Vulnerability

Entering a value of "<script>alert('foo');</script>" as an answer will cause an alert box with the text "foo" to appear whenever the answer is displayed.

Impact

Depending on configuration, this vulnerability allows unauthenticated users to remotely inject malicious content that could be displayed to all web site users. Such content could include links to malware that could lead to possible system compromise.

Determining Version

The answers.info page for vulnerable versions displays the following information:

; $Id: answers.info,v 1.1 2008/01/09 05:12:23 amanuel Exp $
name = Questions
description =  Allows users track their questions.
package = "Answers"
 
; Information added by drupal.org packaging script on 2008-05-22
version = "5.x-1.x-dev"
project = "answers"
datestamp = "1211414452"

Determining version information on Drupal sites is trivial in many cases (ref http://www.madirish.net/?article=214).

Vendor Response

The module developer has not responded to contact attempts.