Drupal Viewfield Module Cross Site Scripting

2009-02-26T00:00:00
ID PACKETSTORM:75216
Type packetstorm
Reporter Justin C. Klein Keane
Modified 2009-02-26T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Yes, it's yet another CCK related module with XSS vulnerabilities. It's  
lame, but it should be reported since the Drupal security team has  
already made an announcement about the issue in these modules. Drupal  
security and module maintainer have been notified. Details can also be  
found at http://www.lampsecurity.org/node/20.  
  
The Drupal Viewfield module (http://drupal.org/project/viewfield) is  
designed to allow the creation of nodes that display views and is  
vulnerable to cross site scripting attacks. Version 5.x-1.5 was tested  
and found vulnerable, but other versions may be affected. This problem  
is related to SA-CORE-2009-002 (http://drupal.org/node/372836). The  
problem occurs when an administrator creates a new content type using  
CCK and then adds or edits a view field for the new content type. Users  
authorized to administer content types can configure this field with  
malicious code in the "Help text:" area. Input to this field is not  
properly sanitized and JavaScript can be executed while attempting to  
create new content that includes the link field, or while configuring  
the link field.  
  
Here are the steps involved in reproducing this issue:  
  
  
1. Log in as a user with 'Administer content types' privilege  
2. Click Administer -> Content Types  
3. Click 'Add content type'  
4. Fill in required text in the Identification, Submission and other  
fieldsets  
5. Click 'Save content type' button  
6. Click 'edit' under the Operations column on the 'Administer' ->  
'Content management' screen for the new content type  
7. Click 'Add field'  
8. Fill in the 'Name' text box in the 'Create new field' fieldset and  
select the 'View' radio button  
9. Click the 'Create field' button  
10. In the next screen (assuming the new field was named 'test' and the  
new type was named 'test' this will be in Home > Administer > Content  
management > Content types > test) find the 'Widget settings' filedset  
11. Under "Help text:" enter <script>alert("xss");</script>  
12. Click 'Save field settings' button  
13. Click 'configure' under the Operations column for the View field OR  
click Create content and then choose the content type you created in  
the previous steps to trigger the JavaScript.  
  
- --  
Justin C. Klein Keane  
http://www.MadIrish.net  
http://www.LAMPSecurity.org  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.7 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org  
  
iQD1AwUBSaaxipEpbGy7DdYAAQL38Qb/UdUjLby/IgNk8RUwF2d63uYfwfy1G6rn  
vyuiGvpcOOz0y/iBmSs64UUSAPS55kYe4VQm9WXXMSQVfeBPuPnVACS8aGFmmCuX  
ZZXSE+wRYq1NlXw2L2tOw2br/rszm+DK4TREPkVYiBDpKbfMAuiGjBP9RQQunhqD  
+itxAvhspCjECOTfmE6s0PUXclC9Ypc2w9ow7a4yua5tmT2MntPjM1ByvXbldeNl  
O9S8O0D8DauoCxieKRMQWusdnh1yG7zMmSGUXOtkIAdGaRkTQ8JHKdQqKt8923hN  
3fbz9oU7bV8=  
=wH4k  
-----END PGP SIGNATURE-----  
  
`