Drupal Custom Pagers XSS Vulnerability

30 November -0001

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Custom Pagers module (http://drupal.org/project/custom_pagers) "allows administrators to define context-sensitive previous/next pagers for any node type." The Custom Pagers module contains an arbitrary HTML injection vulnerability (also known as cross site scripting, or XSS) due to the fact that it fails to sanitize Custom Pagers names before display in the administrative back end interface.

Systems affected:

Drupal 5.21 with Custom Pagers 5.x-1.9, and Drupal 6.19 with Custom Pagers 6.x-1.0-beta2 were tested and shown to be vulnerable

Impact

User could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise. A more likely scenario would be for an attacker to inject hidden content (such as iframes, applets, or embedded objects) that would attack client browsers in an attempt to compromise site users' machines. This vulnerability could also be used to launch cross site request forgery (XSRF) attacks against the site that could have other unexpected consequences.

Mitigating factors:

In order to exploit this vulnerability the attacker must have credentials to an authorized account that has been assigned the 'administer custom pagers' permission. This could be accomplished via social engineering, brute force password guessing, or abuse or legitimate credentials.

Proof of concept:

  1. Install Drupal, and the Custom Pager module
  2. Navigate to the Custom pagers administration page at ?q=admin/build/custom_pagers
  3. Click the 'Add a new custom pager' link or go to ?q=admin/build/custom_pagers/add
  4. For the 'Title' of the new page enter "<script>alert('xss');</script>"
  5. Enter arbitrary values for the rest of the form and click the 'Submit' button
  6. Observe the persistent XSS at ?q=admin/build/custom_pagers

Patch:

Applying the following patch mitigates this issue in version 5.x-1.9

--- custom_pagers/custom_pagers.module	2007-08-16 09:49:33.000000000 -0400
+++ custom_pagers/custom_pagers.module	2011-01-31 16:33:08.657233745 -0500
@@ -132,7 +132,7 @@ function custom_pagers_page() {
   $rows = array();
   foreach ($pagers as $pager) {
     $row = array();
-    $row[] = $pager->title;
+    $row[] = check_plain($pager->title);
     $row[] = !empty($pager->list_php) ? t('PHP snippet') : $pager->view . t(' view');
     $row[] = !empty($pager->visibility_php) ? t('PHP snippet') : $pager->node_type . t(' nodes');
     $row[] =  l(t('edit'), 'admin/build/custom_pagers/edit/' . $pager->pid);

Applying the following patch mitigates this issue in version 6.x-1.0-beta2

--- custom_pagers/custom_pagers.admin.inc	2010-01-17 17:57:39.000000000 -0500
+++ custom_pagers/custom_pagers.admin.inc	2011-01-31 16:36:10.967026063 -0500
@@ -15,7 +15,7 @@ function custom_pagers_page() {
   $rows = array();
   foreach ($pagers as $pager) {
     $row = array();
-    $row[] = $pager->title;
+    $row[] = check_plain($pager->title);
     $row[] = !empty($pager->list_php) ? t('PHP snippet') : t('%view_name view', array('%view_name' => $pager->view));
     $row[] = !empty($pager->visibility_php) ? t('PHP snippet') : t('%node_type nodes', array('%node_type' => $pager->node_type));
     $row[] =  l(t('edit'), 'admin/build/custom_pagers/edit/' . $pager->pid);

Vendor Response:

Drupal security team no longer supports vulnerabilities in Drupal 5 and explicitly does not support resolution of vulnerabilities in modules designated alpha, beta, dev, or other testing release. Module maintainer notified in public forums.