Drupal Taxonomy Theme Cross Site Scripting

2009-02-26T00:00:00
ID PACKETSTORM:75239
Type packetstorm
Reporter Justin C. Klein Keane
Modified 2009-02-26T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Version Tested:  
Taxonomy Theme 5.x-1.1 (http://drupal.org/project/taxonomy_theme)  
Drupal 5.15 (http://drupal.org)  
  
Module maintainer and Drupal security team notified  
  
"The taxonomy_theme module allows you to change the theme of a given  
node based on the taxonomy term, vocabulary or nodetype of that node.  
You can also theme your forums and map themes to Drupal paths or path  
aliases directly." The module contains a Cross Site Scripting (XSS)  
vulnerability that can allow users with 'administer taxonomy' privileges  
to expose users of the Taxonomy Theme module to XSS attacks. Details  
are also available at http://www.lampsecurity.org/node/21  
  
Executing the Attack:  
  
1. Enable the Drupal core Taxonomy module  
2. Create a new vocabulary by clicking Administer -> Content Management  
- -> Categories.  
3. Click the 'Add Vocabulary' link  
4. For the 'Vocabulary name' enter <script>alert('xss');</script>, fill  
in arbitrary values for all other fields  
5. Click on Administer -> Site configuration -> Taxonomy Theme, then  
click the 'Taxonomy' link to trigger the JavaScript.  
  
Technical Details:  
  
This flaw exists do to a lack of output checking in the  
taxonomy_theme_admin_table_builder() function. Specifically, on line  
388 of taxonomy_theme_admin.inc, which reads:  
  
$form['table'][$item->$data['key']]['title'] = array('#value' =>  
$item->name);  
  
Should use check_plain() or similar sanitation function on the  
$item->name value like so:  
  
$form['table'][$item->$data['key']]['title'] = array('#value' =>  
check_plain($item->name));  
  
- --  
Justin C. Klein Keane  
http://www.MadIrish.net  
http://www.LAMPSecurity.org  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.7 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org  
  
iQD1AwUBSacCnZEpbGy7DdYAAQJYPQb/YnDXlQPm5RBW/p9nnx0ER/LJQ2KbFUUR  
KTY9L+JsCiClV8PmLxjH8kSUsD5ITIMNmiVoA7OtsOGPD2oiaIuxqrjEKiXkThTb  
ugkdrxMsu0dxITI837vt2nJfiHThCuk293Dzf6mGbrMJ77DDeybvyKKP/YxZGqNv  
XOI87vedSjqJnREFLjGcyFfmczVTY+CkOaDkgKvWxrqoeOlUvbu7zO52UJm1ZSm0  
vJ8gz176zl9R5O/Ar28f7ddlksFmWANgqBSmRCRQLoNBdPcNz4bjmuLc7YFVlYDi  
yP1P/e/PNYw=  
=laaL  
-----END PGP SIGNATURE-----  
  
`