Drupal With Webform Cross Site Scripting

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Vulnerability Report  
  
Original Date of Vendor Notification: April 19, 2011 15:15 (GMT - 4:00)  
  
Description of Vulnerability:  
- -----------------------------  
Drupal (http://drupal.org) is a robust content management system (CMS)  
written in PHP and MySQL. The Webform module  
(http://drupal.org/project/webform) "adds a webform node type to your  
Drupal site." The Drupal webform module is the 13th most popular third  
party contributed module in the Drupal project, installed on more than  
116,000 sites. The module contains multiple cross site scripting (XSS)  
vulnerabilities due to the fact that it fails to sanitize user supplied  
input before display. The module also fails to restrict file uploads to  
the Drupal installation directory.  
  
Systems affected:  
- -----------------  
Drupal 6.20 with Webform 6.x-2.10, Drupal 7.0 with Webform 7.x-3.9 and  
Drupal 5.23 with Webform 5.x-2.10 were all tested and shown to be  
vulnerable.  
  
Impact  
- ------  
In specific scenarios unauthenticated users could inject arbitrary  
scripts into pages affecting site administrative users. This could  
result in administrative account compromise leading to web server  
process compromise. Another likely scenario would be for an attacker to  
inject hidden content (such as iframes, applets, or embedded objects)  
that would attack client browsers in an attempt to compromise site  
users' machines. This vulnerability could also be used to launch cross  
site request forgery (XSRF) attacks against the site that could have  
other unexpected consequences.  
  
Attackers could also use file uploads in webforms to write arbitrary  
files to the filesystem as the web server.  
  
Mitigating factors:  
- -------------------  
In order to exploit the form name upload XSS vulnerability users must be  
able to submit webforms with file components, including unauthenticated  
users.  
  
In order to exploit form configuration vulnerabilities (using component  
names) the attacker must have credentials to an authorized account that  
has been assigned the permissions to create and/or edit a webform. This  
could be accomplished via social engineering, brute force password  
guessing, or abuse or legitimate credentials.  
  
File uploads are restricted by type based on extension and can only be  
written in locations to which the file server has permissions.  
  
Proof of Concept:  
- -----------------  
1. Install Drupal and Webform module  
2. Create a new webform at ?q=node/add/webform, using arbitrary values  
3. Edit the form components at ?q=node/X/edit/components where 'X' is  
the node id  
4. Type an aritrary name for a new form component and select 'file' as  
the type then click 'Add'  
5. In the resulting screen enter  
"../../../../../../../../../../../../tmp" in the 'Upload Directory'  
6. Click submit  
7. View the form at ?q=node/X  
8. Select a file using the 'Browse' button then submit the form  
9. Viewing the filesystem the uploaded file can be found in the /tmp  
directory  
  
1. Install Drupal and Webform module  
2. Create a new webform at ?q=node/add/webform, using arbitrary values  
3. Edit the form components at ?q=node/X/edit/components where 'X' is  
the node id  
4. Type an aritrary name for a new form component and select 'file' as  
the type then click 'Add'  
5. Enter arbitrary values for the file component definitions  
6. View the form at ?q=node/X  
8. Select a file named "<iframe src='index.php'  
onLoad='javascript:alert("xss");'>.jpg" using the 'Browse' button then  
submit the form  
9. View the results at ?q=node/X/webform-results and click the 'View'  
link under 'Operations' for the just submitted form  
10. The iframe and associated javascrip are rendered at  
?q=node/X/submission/Y where X is the nid and Y is the submission id  
  
1. Install Drupal and Webform module  
2. Create a new webform at ?q=node/add/webform, using arbitrary values  
3. Edit the form components at ?q=node/X/edit/components where 'X' is  
the node id  
4. Create a new component named '<script>alert("xss");</script>' of any  
type and click the 'Add' button  
5. Fill out and submit the form at ?q=node/X where X is the nid  
6. View the 'Analysis' of 'Results' at  
?q=node/X/webform-results/analysis to view the rendered JavaScript  
7. View the 'Table' of 'Results' at ?q=node/X/webform-results/table to  
view the XSS and file upload name XSS attack  
  
Vendor Response:  
- ----------------  
No fix for Drupal 5 version. Upgrade to latest version of Webform for  
Drupal 6 and Drupal 7. http://drupal.org/node/1161954  
  
- --   
Justin Klein Keane  
http://www.MadIrish.net  
  
The digital signature on this e-mail may be confirmed using the  
PGP key located at: http://www.madirish.net/gpgkey  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.11 (GNU/Linux)  
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/  
  
iPwEAQECAAYFAk3b77MACgkQkSlsbLsN1gD5+gb/f+j9GTNGtCZMQFoLWBfTvhXo  
CblsVkV/A+qYzbpREXJyGDvomYmoS3YOJkvvHFvAll0hM2sfQNNpb0ATaUW9EaYx  
ovDnhshu2uz2tcaTYjey5s+wI0V5vMbis8OBgNMI/qHjCN9SdxpZyCDGCvmro9+J  
PCYq1SiXPZMlwh17EgXQH6wtNRTOWm3YUjWbcuxnU0KOMcyBM+LL6BQNJXqMIOoC  
SaKiiqnUx8KR8asXdQIzO1mewHRAx4XTmAlmuaZegBpBYvODXcO1as4dkaEIie14  
NW29UJKonIfkBMofqkk=  
=D4Ao  
-----END PGP SIGNATURE-----  
  
`