Drupal Image Module XSS Vulnerability

30 November -0001

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Image module (http://drupal.org/project/image) "allows users with proper permissions to upload images into Drupal." The Image module contains a cross site scripting (XSS) vulnerability due to the fact that the module fails to sanitize gallery names before display.

Systems affected:

Drupal 6.19 with Image 6.x-1.0 was tested and shown to be vulnerable

Impact

User could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise. Cross site scripting can also be used to attack users via client side application vulnerabilities (such as exploits in browsers or plugins) leading to user machine compromises.

Mitigating factors:

In order to exploit this vulnerability the attacker must have the ability to edit or create image galleries.

Proof of concept:

  1. Install Drupal 6-19, Image module version 6.x-1.0
  2. Enable the Image and Image Gallery modules from ?q=/admin/build/modules
  3. Create a new Gallery from ?q=admin/content/image/add, enter "<script>alert('xss');</script>" for the 'Gallery name:'
  4. View the gallery listing at ?q=image and click on the gallery name or navigate directly to the new gallery at ?q=image/tid/1
  5. . Observe the JavaScript alert box

Patch:

The following patch mitigates this issue.

--- image/contrib/image_gallery/image_gallery.pages.inc	2010-08-03 13:43:00.000000000 -0400
+++ image.fixed/contrib/image_gallery/image_gallery.pages.inc	2010-12-13 15:55:42.737341682 -0500
@@ -72,7 +72,7 @@ function image_gallery_page($type = NULL
       $breadcrumb[] = l($parent->name, 'image/tid/' . $parent->tid);
     }
     drupal_set_breadcrumb($breadcrumb);
-    drupal_set_title($gallery->name);
+    drupal_set_title(check_plain($gallery->name));
   }
 
   return theme('image_gallery', $galleries, $images);

Vendor Response

Upgrade to the latest version. (Ref: http://drupal.org/node/1005578)