Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Drupal Taxonomy Theme Cross Site Scripting

🗓️ 26 Feb 2009 00:00:00Reported by Justin C. Klein KeaneType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 27 Views

Drupal Taxonomy Theme XSS Vulnerabilit

Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Version Tested:  
Taxonomy Theme 5.x-1.1 (http://drupal.org/project/taxonomy_theme)  
Drupal 5.15 (http://drupal.org)  
  
Module maintainer and Drupal security team notified  
  
"The taxonomy_theme module allows you to change the theme of a given  
node based on the taxonomy term, vocabulary or nodetype of that node.  
You can also theme your forums and map themes to Drupal paths or path  
aliases directly." The module contains a Cross Site Scripting (XSS)  
vulnerability that can allow users with 'administer taxonomy' privileges  
to expose users of the Taxonomy Theme module to XSS attacks. Details  
are also available at http://www.lampsecurity.org/node/21  
  
Executing the Attack:  
  
1. Enable the Drupal core Taxonomy module  
2. Create a new vocabulary by clicking Administer -> Content Management  
- -> Categories.  
3. Click the 'Add Vocabulary' link  
4. For the 'Vocabulary name' enter <script>alert('xss');</script>, fill  
in arbitrary values for all other fields  
5. Click on Administer -> Site configuration -> Taxonomy Theme, then  
click the 'Taxonomy' link to trigger the JavaScript.  
  
Technical Details:  
  
This flaw exists do to a lack of output checking in the  
taxonomy_theme_admin_table_builder() function. Specifically, on line  
388 of taxonomy_theme_admin.inc, which reads:  
  
$form['table'][$item->$data['key']]['title'] = array('#value' =>  
$item->name);  
  
Should use check_plain() or similar sanitation function on the  
$item->name value like so:  
  
$form['table'][$item->$data['key']]['title'] = array('#value' =>  
check_plain($item->name));  
  
- --  
Justin C. Klein Keane  
http://www.MadIrish.net  
http://www.LAMPSecurity.org  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.7 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org  
  
iQD1AwUBSacCnZEpbGy7DdYAAQJYPQb/YnDXlQPm5RBW/p9nnx0ER/LJQ2KbFUUR  
KTY9L+JsCiClV8PmLxjH8kSUsD5ITIMNmiVoA7OtsOGPD2oiaIuxqrjEKiXkThTb  
ugkdrxMsu0dxITI837vt2nJfiHThCuk293Dzf6mGbrMJ77DDeybvyKKP/YxZGqNv  
XOI87vedSjqJnREFLjGcyFfmczVTY+CkOaDkgKvWxrqoeOlUvbu7zO52UJm1ZSm0  
vJ8gz176zl9R5O/Ar28f7ddlksFmWANgqBSmRCRQLoNBdPcNz4bjmuLc7YFVlYDi  
yP1P/e/PNYw=  
=laaL  
-----END PGP SIGNATURE-----  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Feb 2009 00:00Current
7.4High risk
Vulners AI Score7.4
drupaltaxonomy themecross site scriptingvulnerabilityjavascriptsecuritylampsecurity
27