Drupal Book Block 6.x-1.0-beta1 Cross Site Scripting

2012-07-11T00:00:00
ID PACKETSTORM:114635
Type packetstorm
Reporter Zach Alexander
Modified 2012-07-11T00:00:00

Description

                                        
                                            `Drupal Book Block 6.x-1.0-beta1 XSS Vulnerability  
  
Posted by zalexander on July 9, 2012 at 2:44pm  
  
Project: Book Block  
Version: 6.x-1.0-beta1  
Component: Code  
Category: bug report  
Priority: major  
Assigned: mcjim  
Status: fixed  
Issue tags: patch, security, vulnerability, xss  
  
Issue Summary  
  
Description of Vulnerability:  
  
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL.  
The Drupal Book Block module (https://drupal.org/project/bookblock) allows users to create a  
block on their page that can generate an individual menu block for each of a site's books.  
These blocks can then be administered as any other block to appear on the pages you choose.  
The Book Block module contains a persistent script injection vulnerability (XSS) on its admin  
page that fails to properly sanitize the titles of books.  
Systems Affected:  
  
Drupal 6.26 with Book Block 6.x-1.0-beta1 was tested and shown to be vulnerable.  
  
Impact:  
  
Users who have the ability to create books on the website can inject arbitrary script into  
book titles. This script will execute whenever a user navigates to /admin/content/book/blocks.  
This could lead to privilege escalation, account compromise or other attacks. This exploit  
affects  
  
Mitigating Factors:  
  
In order to insert a malicious script into the database, access to a valid user account with  
the ability to create Book nodes is required.  
  
Proof of Concept:  
  
1. Install and enable the Book Block module  
2. Navigate to /node/add and click "Book page" to create a new book page  
3. Enter '<script>alert('XSS Vulnerablity')</script>' into the "title" field, then fill in the "body" field arbitrarily and press "Save"  
4. Navigate to /admin/content/book/blocks to view the rendered JavaScript  
  
Patch:  
  
The following patch mitigates this vulnerability:  
  
$ diff -ruN bookblock.admin.inc patchedbookblock.admin.inc  
--- bookblock.admin.inc 2010-07-01 08:31:50.000000000 -0400  
+++ patchedbookblock.admin.inc 2012-07-06 11:07:49.956360960 -0400  
@@ -13,7 +13,7 @@  
* @ingroup forms  
*/  
function bookblock_admin_settings() {  
- $books = book_get_books();  
+ $books = array_map("check_plain",book_get_books());  
if ($books) {  
foreach ($books as $book) {  
if (!$book['has_children']) {  
@@ -31,4 +31,4 @@  
$form['array_filter'] = array('#type' => 'value', '#value' => TRUE);  
return system_settings_form($form);  
}  
-}  
\ No newline at end of file  
+}  
  
`