Drupal 6 Actions, Triggers (Core) Module XSS Vulnerability
Description of Vulnerability:
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. Drupal provides several "core" modules by default. The Trigger and Actions modules are two such core modules. Using the Trigger and Actions module it is possible for users with sufficient privilege to inject arbitrary script into Drupal rendered pages.
Systems affected:
Drupal 6.16 and 6.17 were tested and shown to be vulnerable
Impact
User could inject arbitrary scripts into pages affecting site users (including administrators). Script injection could result in administrative account compromise leading to web server process compromise. Client side attack through the injection of references to objects handled by third party plugins that had vulnerabilities (such as malicious Java objects or Flash movies) is also possible, which could lead to user system compromise.
Mitigating factors:
In order to execute arbitrary script injection malicious users must have 'Administer actions' permission and the affected modules must be enabled.
Technical discussion and proof of concept:
Actions and Triggers, both part of Drupal core, contains XSS vulnerabilities
Proof of concept
- Go to ?q=admin/settings/actions
- Select any option from the 'Choose an advanced action' drop down
- Click 'Create'
- Enter "<script>alert('xss');</script> in the "Description" field
- View ?q=admin/settings/actions to view the rendered script
Furthermore, with certain actions allow for additional script injection. Specifically the 'Display a message to a user' action can be used in conjunction with the Trigger module to display arbitrary scripts when users trigger certain actions.
Proof of concept
- Enable the 'Trigger' module
- Go to ?q=admin/settings/actions
- Choose "Display a message to the user..." from the "Choose an advanced action" drop down
- Click the 'Create' button
- Enter "<script>alert('message');</script>" in the "Message:" text area
- Click 'Save'
- Navigate to ?q=admin/build/trigger/node and under the "Trigger: After saving a new post" form label choose "Display a message to the user" from the "Choose an action" drop down and click the 'Assign' button
- Create a new page at ?q=node/add/page with arbitrary content
- Click 'Save' to view the JavaScript alert box from #5 above
Vendor Response
Upgrade to the latest version of Drupal. Ref SA-Core-2010-002