Drupal's Node Blocks Cross Site Scripting

Type packetstorm
Reporter Martin Barbella
Modified 2010-01-14T00:00:00


                                            `XSS Vulnerability in Drupal's Node Blocks contributed module (6.x-1.3  
and 5.x-1.1)  
Discovered by Martin Barbella <martybarbella@gmail.com>  
Description of Vulnerability:  
Drupal is a free software package that allows an individual or a  
community of users to easily publish, manage and organize a wide  
variety of content on a website. (From: http://drupal.org/about)  
The Node Blocks module allows users to specify content type(s) as  
being a block. This allows the content managers of the site to edit  
the block text and title without having to access the block  
administration page. (From: http://drupal.org/project/nodeblock)  
The block title is not properly sanitized when a user displays a block  
created from a node, resulting in a cross site scripting  
Systems affected:  
This has been confirmed in Node Blocks 6.x-1.3 and 5.x-1.1. Previous  
versions may also be affected.  
This is an example of a stored cross site scripting vulnerability.  
Stored attacks are those where the injected code is permanently stored  
on the target servers, such as in a database, in a message forum,  
visitor log, comment field, etc. The victim then retrieves the  
malicious script from the server when it requests the stored  
information. (From OWASP:  
Mitigating factors:  
A user must be able to create nodes of a type used by Node Blocks, and  
this node must be added as a block by a user with the administer  
blocks permission.  
Proof of concept:  
1. Install the Node Blocks module  
2. Create a content type with available as block enabled  
3. As a user with permission to create nodes of this type, create a  
node with the title "<script>alert('XSS')</script>"  
4. As a user that can administer blocks, add this block to a region  
5. Note that an alert box will be displayed when the block is  
generated on a page  
Install version 6.x-1.4 or 5.x-1.2 of the Node Blocks module.  
2009-12-29 - Drupal Security notified.  
2010-01-13 - Security announcement released on drupal.org  
This vulnerability was reported by Martin Barbella to Khalid  
Baheyeldin at Drupal Security, and fixed by Thomas Turnbull.