Drupal Viewfield Module Cross Site Scripting

Type packetstorm
Reporter Justin C. Klein Keane
Modified 2009-02-26T00:00:00


                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
Yes, it's yet another CCK related module with XSS vulnerabilities. It's  
lame, but it should be reported since the Drupal security team has  
already made an announcement about the issue in these modules. Drupal  
security and module maintainer have been notified. Details can also be  
found at http://www.lampsecurity.org/node/20.  
The Drupal Viewfield module (http://drupal.org/project/viewfield) is  
designed to allow the creation of nodes that display views and is  
vulnerable to cross site scripting attacks. Version 5.x-1.5 was tested  
and found vulnerable, but other versions may be affected. This problem  
is related to SA-CORE-2009-002 (http://drupal.org/node/372836). The  
problem occurs when an administrator creates a new content type using  
CCK and then adds or edits a view field for the new content type. Users  
authorized to administer content types can configure this field with  
malicious code in the "Help text:" area. Input to this field is not  
properly sanitized and JavaScript can be executed while attempting to  
create new content that includes the link field, or while configuring  
the link field.  
Here are the steps involved in reproducing this issue:  
1. Log in as a user with 'Administer content types' privilege  
2. Click Administer -> Content Types  
3. Click 'Add content type'  
4. Fill in required text in the Identification, Submission and other  
5. Click 'Save content type' button  
6. Click 'edit' under the Operations column on the 'Administer' ->  
'Content management' screen for the new content type  
7. Click 'Add field'  
8. Fill in the 'Name' text box in the 'Create new field' fieldset and  
select the 'View' radio button  
9. Click the 'Create field' button  
10. In the next screen (assuming the new field was named 'test' and the  
new type was named 'test' this will be in Home > Administer > Content  
management > Content types > test) find the 'Widget settings' filedset  
11. Under "Help text:" enter <script>alert("xss");</script>  
12. Click 'Save field settings' button  
13. Click 'configure' under the Operations column for the View field OR  
click Create content and then choose the content type you created in  
the previous steps to trigger the JavaScript.  
- --  
Justin C. Klein Keane  
Version: GnuPG v1.4.7 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org