OG Menu 6.x-2.0 Cross Site Scripting

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
OG Menu 6.x-2.0 XSS Vulnerability  
  
CVE-2010-1747  
  
This disclosure has also been posted at http://madirish.net/?article=467  
  
Description of Vulnerability:  
- -----------------------------  
Drupal (http://drupal.org) is a robust content management system (CMS)  
written in PHP and MySQL. The Drupal OG Menu module  
(http://drupal.org/project/og_menu) "allows users to manage menus by  
Organic Groups." The OG Menu module contains a cross site scripting  
(XSS) vulnerability due to the fact that it fails to sanitize menu  
descriptions before display.  
  
Systems affected:  
- -----------------  
Drupal 6.16 with OG Menu 6.x-2.0 was tested and shown to be vulnerable  
  
Impact  
- ------  
User could inject arbitrary scripts into pages affecting site users.  
This could result in administrative account compromise leading to web  
server process compromise.  
  
Mitigating factors:  
- -------------------  
In order to execute the proof of concept described below malicious users  
must have 'Administer og menu' permission.  
  
Proof of Concept:  
- -----------------  
1. Install Drupal 6.16, Organic Groups module and OG Menu module  
2. Create or view a piece of content in an organic group  
3. Click on the 'Menu' link to view ?q=node/XX/og_menu where XX is the  
node id  
4. Click the 'Add Menu' link to view ?q=node/XX/og_menu/add  
5. Fill in arbitrary values for the 'Menu name' and 'Title', enter  
"<script>alert('xss');</script>" in the 'Description' text area  
6. Click the 'Save' button  
7. View the menu at ?q=node/13/og_menu/ to observe the JavaScript alert  
  
Patch:  
- ------------------------------------------  
Applying the following patch mitigates this issue in version 6.x-2.0  
  
- --- og_menu/og_menu.module 2010-02-09 07:33:31.000000000 -0500  
+++ og_menu/og_menu.module 2010-05-06 13:26:44.080266269 -0400  
@@ -333,6 +333,7 @@ function og_menu_overview_page($node) {  
while ($menu = db_fetch_array($result)) {  
$menu['href'] = 'node/'. $node->nid .'/og_menu/'. $menu['menu_name'];  
$menu['localized_options'] = array();  
+ $menu['description'] = check_plain($menu['description']);  
$content[] = $menu;  
}  
return theme('admin_block_content', $content);  
  
Vendor Response:  
- ----------------  
Module has been unpublished per SA-CONTRIB-2010-073.  
  
- --   
Justin C. Klein Keane  
http://www.MadIrish.net  
  
The digital signature on this message can be confirmed  
using the public key at http://www.madirish.net/gpgkey  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.10 (GNU/Linux)  
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/  
  
iPwEAQECAAYFAkw+J6oACgkQkSlsbLsN1gDmFwb/efcAEfr5POryDYh3lk757eMv  
jkYJRyAn6FCrBPmo9qHpBjACES4FBd0katU5nchYYf/iGRj8TaJy3bPx5kc4xY/n  
pv3XTdk/eej3CHHZ1dANp/KzkE6ypwdQagJVscTtr/tbG+QSCn/y7uHSvyP3N04O  
GqNilWG6cdOX4W8O8Nqa3cScAVJaWfuX82f512t2poeLGUWRlar4BxX0YLamopQN  
P0+mqu/4GZqpB0wRKZHhzIrgz6OuoCuyS0FUezEdTJ0+BIBia76ZIsACs0CpeM6a  
I70jov9aO4j09oy4v50=  
=tBsX  
-----END PGP SIGNATURE-----  
  
`