drupal-xss.txt

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
* Date: Sept 12, 2008  
* Security risk: medium  
* Exploitable from: Remote  
* Vulnerability: Cross site scripting  
  
Description  
  
Drupal is a robust content management system (CMS) that provides  
extensibility through hundreds of third party modules. While the  
security of Drupal core modules is vetted by a central security team,  
third party modules are not reviewed for security.  
  
The Answers module (http://drupal.org/project/answers), created by  
"Drupal experts" TickleSpace (http://ticklespace.com/) is designed to  
allow users to create "quests" in the form of questions. Users are then  
allowed to post answers to these quests. However, the answers submitted  
by users are not properly sanitized, leading to cross site scripting  
vulnerabilities. When a user posts a Simple Answer, using the link  
provided in nodes that are questions, the data entered in the "Answer:"  
text area is not sanitized for display. Users can enter malicious  
javascript or other data. In a default configuration this data is then  
rendered on the front page of the Drupal installation, subjecting users  
to a cross site scripting attack.  
  
Vulnerable Versions  
  
5.x-1.x-dev, dated 2008-May-22 was tested and shown vulnerable.  
  
Testing for Vulnerability  
  
Entering a value of "<script>alert('foo');</script>" as an answer will  
cause an alert box with the text "foo" to appear whenever the answer is  
displayed.  
  
Impact  
  
Depending on configuration, this vulnerability allows unauthenticated  
users to remotely inject malicious content that could be displayed to  
all web site users. Such content could include links to malware that  
could lead to possible system compromise.  
  
Determining Version  
  
The answers.info page for vulnerable versions displays the following  
information:  
  
; $Id: answers.info,v 1.1 2008/01/09 05:12:23 amanuel Exp $  
name = Questions  
description = Allows users track their questions.  
package = "Answers"  
  
; Information added by drupal.org packaging script on 2008-05-22  
version = "5.x-1.x-dev"  
project = "answers"  
datestamp = "1211414452"  
  
Determining version information on Drupal sites is trivial in many cases  
(ref http://www.madirish.net/?article=214).  
  
Vendor Response  
  
The module developer has not responded to contact attempts.  
  
- --  
Mad Irish  
http://www.MadIrish.net  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.7 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org  
  
iQD1AwUBSMp1CZEpbGy7DdYAAQKfmwb/XcYp9dDrE5j9AbO2r9Mt6rnhVKBL/jsT  
p4ty8q4U34rsv9aI8pj2Pje/bbs+ryyI+HroeS7isnt7La1O7XZUc/NHONxAB6F/  
x1K9LgF1YWHidOk6eTbJ9kZ95yf55lBjAZi87+NWyORAId4hhC+SKIHwPA6xmkGM  
o764yXAEbcHSU98T+OnHesxXPor8p60sukPmMd5OA0f3dYPFPXVe7tfjgQL09SRO  
gXQjvmKTfyBdJkEWBnM7LFir7aC6f7iI9ygCEPryokF5tD/fyaxnh1U09q6d62u6  
24fdlKKK08g=  
=e9jj  
-----END PGP SIGNATURE-----  
  
`