Drupal Activity 6.x XSS Proof Of Concept

2012-03-29T00:00:00
ID PACKETSTORM:111324
Type packetstorm
Reporter Justin C. Klein Keane
Modified 2012-03-29T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Exploit for bespoke:  
  
* Install and enable the Activity and Flag modules  
* Add a new Flag with an arbitrary name at ?q=admin/build/flags/add  
* On the resulting page (?q=admin/build/flags/add/node/[name]) enter  
"<script>alert('xss');</script>" for the flag Title  
* View the rendered Javascript at /?q=admin/settings/activity/flagactivity  
  
* As above  
* Alter the "Comment: Insert:" field in the "Message visible to the  
"All" role" fieldgroup at ?q=admin/settings/activity/commentactivity  
to insert the text "<script>alert('xss');</script>"  
* Move the "Activity (All): show all recent activity" block to a  
visible content region at ?q=admin/build/block  
* Create a story at ?q=node/add/story  
* Log out  
* As anonymous user add a comment at ?q=comment/reply/X#comment-form  
where X is the nid of the story from step #4  
* Submit the comment to view the rendered JavaScript alert in the  
Activity block or log back in to see the JavaScript at ?q=activity  
  
Patch:  
  
The following patch mitigates the above vulnerabilities.  
  
- --- activity/activity.module 2009-04-26 21:45:25.000000000 -0400  
+++ activity.fixed/activity.module 2012-01-26 06:34:56.014821191 -0500  
@@ -311,7 +311,7 @@ function activity_module_settings(&$form  
'#type' => 'checkboxes',  
'#title' => t('Token types'),  
'#description' => t('Select the token types that you wish to  
record activity from.'),  
- - '#options' => $info['types'],  
+ '#options' => array_map("filter_xss", $info['types']),  
'#default_value' => variable_get($module .'_token_types',  
array_keys($info['types'])),  
'#attributes' => array('class' => 'activity-token-types'),  
);  
@@ -350,7 +350,7 @@ function activity_module_settings(&$form  
if (count($types) > 1) {  
$form[$module][$role_name][$type_name] = array(  
'#type' => 'fieldset',  
- - '#title' => t($type),  
+ '#title' => filter_xss(t($type)),  
'#collapsible' => TRUE,  
'#collapsed' => TRUE,  
);  
@@ -1034,7 +1034,7 @@ function activity_token_replace($activit  
activity_invoke_activityapi($activity, 'render');  
$message = token_replace($pattern, $module, $data);  
$message = token_replace($message, 'activity', $data);  
- - return $message;  
+ return filter_xss($message);  
}  
}  
  
  
Justin Klein Keane  
http://www.MadIrish.net  
`