Drupal SWFTools Module XSS Vulnerability

30 November -0001

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal SWF Tools module (http://drupal.org/project/swftools) contains multiple cross site scripting (XSS) vulnerabilities due to the fact that it fails to sanitize user supplied input before display.

Systems affected:

Drupal 6.19 with SWF Tools 6.x-2.5 was tested and shown to be vulnerable

Impact

User could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise. A more likely scenario would be for an attacker to inject hidden content (such as iframes, applets, or embedded objects) that would attack client browsers in an attempt to compromise site users' machines. This vulnerability could also be used to launch cross site request forgery (XSRF) attacks against the site that could have other unexpected consequences.

Mitigating factors:

In order to exploit this vulnerability the attacker must have credentials to an authorized account that has been assigned the 'administer flash' permission. This could be accomplished via social engineering, brute force password guessing, or abuse or legitimate credentials.

Proof of Concept:

  1. Install Drupal and enable the SWFTools module
  2. Navigate to the 'Embed settings' page at ?q=admin/settings/swftools/embed
  3. Enter "<script>alert('xss');</script>" at the end of the 'HTML alternative:' text
  4. Save the form
  5. View rendered JavaScript at any content with embedded SWF or at the SWF Tools status page at ?q=/admin/reports/swftools

-or-

  1. Same as above
  2. Enable swfobject2 embedding method and select as default from ?q=admin/settings/swftools/embed
  3. Enter '7");alert('xss');swfobject.embedSWF("' for 'Flash version:' at ?q=admin/settings/swftools/embed
  4. Click 'Save configuration'
  5. View rendered JavaScript at any content with embedded SWF or at the SWF Tools status page at ?q=/admin/reports/swftools

Vendor Response

SWFTools allows users to embed Flash elements that could exploit XSS on their own so this vulnerability will be fixed in public.