Drupal Revisioning 6.x-3.13 XSS Vulnerability
Vulnerability Report
Author: Justin C. Klein Keane <justin@madirish.net>
CVE: CVE-2012-1060
OSVDB: 78978
Description of Vulnerability:
Drupal is a robust content management system (CMS) written in PHP and MySQL. The Drupal Revisioning module (https://drupal.org/project/revisioning) "is a module for the configuration of workflows to create, moderate and publish content revisions." The Revisioning module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize tags before display.
Systems affected:
Drupal 6.22 with Revisioning 6.x-3.13 was tested and shown to be vulnerable
Impact
Users with the ability to create content and tags that is submitted to a review queue could include malicious JavaScript or HTML as part of their tags. This attack would then target content moderators (presumably users with higher privilege) which could lead to a silent account compromise and potential privilege escalation for attackers. Attackers could also expose content reviewers to targeted client side (malware) attacks, redirection (for phishing), or XSRF attacks.
Mitigating factors:
In order to execute arbitrary script injection malicious users must have the ability to create content with free taxonomy terms.
Proof of Concept Exploit:
- Install and enable the Revisioning module
- Enable the Taxonomy module (part of core)
- Create a new vocabulary at ?q=admin/content/taxonomy/add/vocabulary being sure to apply it to the 'Story' content ytpe and selecting 'Tags' for settings
- Edit the workflow settings for the Story content type at ?q=admin/content/node-type/story, selecting 'Create new revision'
- Create a new story at ?q=node/add/story putting "<script>alert('xss');</script>" as the tag for the Vocabulary created in step #3, check the 'Create new revision' and 'New revision in draft, pending moderation' checkboxes in the 'Revision information' fieldgroup
- Save the story
- View the 'Revisions' tab at ?q=node/X/revisions where X is the node ID to view the rendered JavaScript alert box
Patch:
The following patch mitigates this vulnerability:
--- revisioning/revisioning_theme.inc 2011-07-19 01:32:33.000000000 -0400 +++ revisioning.fixed/revisioning_theme.inc 2012-01-29 04:26:05.993398527 -0500 @@ -190,7 +190,7 @@ function theme_revisioning_revisions_sum } // Term if ($show_taxonomy_terms) { - $row[] = drupal_render($form['term'][$vid]); + $row[] = filter_xss(drupal_render($form['term'][$vid])); } // Publication status $is_current = ($vid == $node->vid);
Vendor response:
Upgrade to latest version. SA-CONTRIB-2012-018