Drupal Creative Commons 6.x-1.0 XSS Vulnerability
Vulnerability Report
Reported: February 13, 2012
CVE: CVE-2012-2297
OSVDB: 81551
Description of Vulnerability:
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Creative Commons module (https://drupal.org/project/creativecommons) "allows users to select and assign a Creative Commons license to a node and any attached content, or to the entire site. It also provides integration between CC and Drupal technology." The Creative Commons module contains multiple persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize user supplied input before display.
Systems affected:
Drupal 6.22 with Creative Commons 6.x-1.0 was tested and shown to be vulnerable
Impact
Users administering the Creative Commons module can inject arbitrary script that is executed whenever new content of selected types is created or edited, whenever a page with the license is viewed, or whenever Views are administered. This could lead to privilege escalation, account compromise, or other attacks (such as client side exploits).
Mitigating factors:
In order to execute arbitrary script injection malicious users must have the ability to administer the Creative Commons module.
Proof of concept exploit:
- Install and enable the Creative Commons module
- Navigate to the settings page at ?q=admin/settings/creativecommons/edit
- Enter "<script>alert('xss');</script>" for the "Custom message" and save
- Apply the module to the Story content type at ?q=admin/settings/creativecommons/types
- View the create Story page at ?q=node/add/story to view rendered JavaScript
- Install and enable the Creative Commons module
- Navigate to the settings page at ?q=admin/settings/creativecommons/default
- Check the box to 'Use the default license as a site...'
- Enter "<script>alert('xss');</script>" in the 'Additional text:' area
- Save the configuration
- Move the "Creative Commons Site License" to a visible region at ?q=admin/build/block
- Save the block configuration to view the JavaScript alert
- This alert can also be viewed in the Views settings page (?q=admin/build/views)
Patch:
The following patches mitigates these vulnerabilities:
$ diff -up creativecommons/creativecommons.module creativecommons.fixed/creativecommons.module --- creativecommons/creativecommons.module 2011-03-29 20:57:41.000000000 -0400 +++ creativecommons.fixed/creativecommons.module 2012-02-13 12:48:35.572939780 -0500 @@ -1870,7 +1870,7 @@ function creativecommons_node_form($node if (variable_get('creativecommons_user_message', '')) { // Custom Creative Commons license description - $description = variable_get('creativecommons_user_message', ''); + $description = filter_xss(variable_get('creativecommons_user_message', '')); } else { $ diff -up creativecommons/theme/theme.inc creativecommons.fixed/theme/theme.inc --- creativecommons/theme/theme.inc 2011-03-29 20:57:41.000000000 -0400 +++ creativecommons.fixed/theme/theme.inc 2012-02-13 12:46:36.846006949 -0500 @@ -18,7 +18,7 @@ function theme_creativecommons_site_lice // Additional text if ($additional_text = variable_get('creativecommons_site_license_additional_text', '')) { - $output .= '<br/>'. $additional_text; + $output .= '<br/>'. filter_xss($additional_text); } // RDF output
Vendor response:
On 25 April, 2012 the vendor released SA-CONTRIB-2012-062 (https://drupal.org/node/1547520) advising users to upgrade to version 6.x-1.1 or later.