Drupal Mobile Tools 6.x-2.3 XSS

30 May 2012

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Mobile Tools module (https://drupal.org/project/mobile_tools) "provides Drupal developers with some tools to assist in making a site mobile." The Mobile Tools module contains several persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize user supplied values before display.

Systems affected:

Drupal 6.24 with Mobile Tools 6.x-2.3 was tested and shown to be vulnerable

Impact

Users could be subject to account compromise, client side attack, or other vulnerabilities due to arbitrary script execution.

Mitigating factors:

In order to execute arbitrary script injection malicious users must have the ability to administer mobile tools.

Proof of Concept Exploit:

Install and enable the Mobile Tools modules
Enable the 'Mobile Tools message block' from ?q=admin/build/block
Navigate to the Mobile Tools administration page at ?q=admin/settings/mobile-tools
Under 'General configuration' for the 'Mobile URL' and 'Desktop URL' insert the following text, including double quotes:
" onmouseover="javascript:alert('url xss');" id="
In the 'Mobile Tools block message options' append the text "<script>alert('xss');</script>" to the message
Save the configuration to view the javascript alert from step 5.
Mouse over the text in the block from step 2 to view the Javascript injected in step 4