Drupal Service Links 6.x-1.0 XSS Vulnerability

30 November -0001

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Service links module (http://drupal.org/project/service_links) "enables admins to add links to a number of social bookmarking sites, blog search sites etc. "

The Service Links module contains a cross site scripting vulnerability because it does not properly sanitize output of content type names before display.

Systems affected:

Drupal 6.14 with Service links 6.x-1.0 was tested and shown to be vulnerable.

Impact:

XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.

Mitigating factors:

The Service links module must be installed. To carry out a Service links based XSS exploit the attacker must have 'administer content types' permissions.

Proof of Concept:

  1. Install Drupal 6.14
  2. Install Service links 6.x-1.0
  3. Enable the Service links module from Administer -> Site building -> Modules
  4. Create a new Content type from Administer -> Content management -> Content types and click 'Add content type'
  5. For the 'name' field enter <script>alert('xss');</script> and save the content type
  6. Click Administer -> Site configuration -> Service links to trigger the JavaScript

Technical details:

The Service links module fails to sanitize the output of the content type names before display. Applying the following patch fixes this vulnerability.

Patch

Applying the following patch mitigates these threats.

--- service_links/service_links.module	2008-02-26 12:01:27.000000000 -0500
+++ service_links/service_links.module	2009-10-02 06:33:21.000000000 -0400
@@ -35,11 +35,12 @@ function service_links_admin_settings() 
     '#title' => t('Where to show the service links'),
     '#description' => t('Set the node types and categories you want to display links for.'),
   );
+  $names = array_map('filter_xss', node_get_types('names'));
   $form['where_to_show_the_links']['service_links_node_types'] = array(
     '#type' => 'checkboxes',
     '#title' => t('Node types'),
     '#default_value' => variable_get('service_links_node_types', array()),
-    '#options' => node_get_types('names'),
+    '#options' => $names,
   );
   if (module_exists('taxonomy')) {
     $form['where_to_show_the_links']['service_links_category_types'] = array(