Drupal 5.x / 6.x Core XSS

`The text of this advisory is also available at  
http://www.madirish.net/?article=441  
  
Description of Vulnerability:  
- - -----------------------------  
Drupal (http://drupal.org) is a robust content management system (CMS)  
written in PHP and MySQL that provides extensibility through various third  
party modules. The Contact module "enables the use of both personal and  
site-wide contact forms." The Contact module is one of the Drupal core  
modules, distributed with every Drupal site, but not enabled by default.  
  
Systems affected:  
- - -----------------  
Drupal 6.14 and 5.20 were tested and shown to be vulnerable.  
  
Impact:  
- - -------  
Cross site scripting (XSS) vulnerabilities may expose site administrative  
accounts to compromise which could lead to web server process compromise.  
  
Mitigating factors:  
- - -------------------  
To carry out the XSS exploit below the attacker must have 'administer  
site-wide contact form' permissions.  
  
Proof of Concept:  
- ---------------------  
1. Install Drupal 6.14 and enable the Contact module from Administer ->  
Modules  
2. Click Administer -> Site building -> Contact form  
3. Click 'Add category'  
4. Enter "<script>alert('xss');</script>" in the 'Category' text area  
5. Enter arbitrary recipients and click the 'Save' button  
6. Observe the rendered JavaScript at ?q=admin/build/contact  
  
Technical details:  
- ------------------------  
The Contact module fails to sanitize the output of the contact category  
names before display. Applying the following patch fixes this  
vulnerability.  
  
Patch  
- -------  
Applying the following patch mitigates these threats in Drupal 6.14.  
  
--- drupal-6.14/modules/contact/contact.admin.inc 2007-11-09  
02:55:13.000000000 -0500  
+++ drupal-6.14/modules/contact/contact.admin.inc 2009-11-11  
15:53:55.684432827 -0500  
@@ -13,7 +13,7 @@ function contact_admin_categories() {  
$result = db_query('SELECT cid, category, recipients, selected FROM  
{contact} ORDER BY weight, category');  
$rows = array();  
while ($category = db_fetch_object($result)) {  
- $rows[] = array($category->category, $category->recipients,  
($category->selected ? t('Yes') : t('No')), l(t('edit'),  
'admin/build/contact/edit/'. $category->cid), l(t('delete'),  
'admin/build/contact/delete/'. $category->cid));  
+ $rows[] = array(filter_xss($category->category), $category->recipients,  
($category->selected ? t('Yes') : t('No')), l(t('edit'),  
'admin/build/contact/edit/'. $category->cid), l(t('delete'),  
'admin/build/contact/delete/'. $category->cid));  
}  
$header = array(t('Category'), t('Recipients'), t('Selected'),  
array('data' => t('Operations'), 'colspan' => 2));  
  
  
Applying the following patch mitigates these threats in Drupal 5.20  
  
--- drupal-5.20/modules/contact/contact.module 2008-09-15  
02:19:06.000000000 -0400  
+++ drupal-5.20/modules/contact/contact.module 2009-11-11  
15:55:33.252401609 -0500  
@@ -145,7 +145,7 @@ function contact_admin_categories() {  
$result = db_query('SELECT cid, category, recipients, selected FROM  
{contact} ORDER BY weight, category');  
$rows = array();  
while ($category = db_fetch_object($result)) {  
- $rows[] = array($category->category, $category->recipients,  
($category->selected ? t('Yes') : t('No')), l(t('edit'),  
'admin/build/contact/edit/'. $category->cid), l(t('delete'),  
'admin/build/contact/delete/'. $category->cid));  
+ $rows[] = array(filter_xss($category->category), $category->recipients,  
($category->selected ? t('Yes') : t('No')), l(t('edit'),  
'admin/build/contact/edit/'. $category->cid), l(t('delete'),  
'admin/build/contact/delete/'. $category->cid));  
}  
$header = array(t('Category'), t('Recipients'), t('Selected'),  
array('data' => t('Operations'), 'colspan' => 2));  
  
Vendor Response  
-------------------------  
Upgrade to the latest version.  
http://drupal.org/node/661586  
  
--   
Justin C. Klein Keane  
http://www.MadIrish.net  
`