Drupal Zen Theme 6.x-1.1 XSS Vulnerability
30 November -0001
Description of Vulnerability:
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides custom look and feel functionality with themes. The popular Zen theme (http://drupal.org/project/zen) contains a cross site scripting vulnerability due to the fact that it fails to properly sanitize breadcrumb separators upon display allowing arbitrary script injection.
Systems affected:
Zen 6.x-1.1 was tested and shown to be vulnerable
Mitigating factors:
Attacker must have 'administer site configuration' permissions or write access to the database in order to exploit this vulnerability. Additionally the breadcrumb configuration form limits the length to 10 characters.
Proof of concept:
- Install Drupal 6.16 and the Zen theme.
- Enable the Zen theme from Administer -> Site building -> Modules
- Go to Administer -> Site building -> Themes
- Click on the 'configure' link
- Enter "<em>!</em>" in the 'Breadcrumb separator' text area
- Click the 'Save configuration' button
Patch
Applying the following patch mitigates these threats.
--- zen/zen/template.php 2010-03-26 10:09:43.718371984 -0400 +++ zen/zen/template.php 2010-03-26 10:09:54.864395793 -0400 @@ -60,7 +60,7 @@ function zen_breadcrumb($breadcrumb) { // Return the breadcrumb with separators. if (!empty($breadcrumb)) { - $breadcrumb_separator = check_plain(theme_get_setting('zen_breadcrumb_separator')); + $breadcrumb_separator = theme_get_setting('zen_breadcrumb_separator'); $trailing_separator = $title = ''; if (theme_get_setting('zen_breadcrumb_title')) { if ($title = drupal_get_title()) {