Drupal Custom Pagers Module Cross Site Scripting

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Description of Vulnerability:  
- -----------------------------  
Drupal (http://drupal.org) is a robust content management system (CMS)  
written in PHP and MySQL. The Drupal Custom Pagers module  
(http://drupal.org/project/custom_pagers) "allows administrators to  
define context-sensitive previous/next pagers for any node type." The  
Custom Pagers module contains an arbitrary HTML injection vulnerability  
(also known as cross site scripting, or XSS) due to the fact that it  
fails to sanitize Custom Pagers names before display in the  
administrative back end interface.  
  
Systems affected:  
- -----------------  
Drupal 5.21 with Custom Pagers 5.x-1.9, and Drupal 6.19 with Custom  
Pagers 6.x-1.0-beta2 were tested and shown to be vulnerable  
  
Impact  
- ------  
User could inject arbitrary scripts into pages affecting site users.  
This could result in administrative account compromise leading to web  
server process compromise. A more likely scenario would be for an  
attacker to inject hidden content (such as iframes, applets, or embedded  
objects) that would attack client browsers in an attempt to compromise  
site users' machines. This vulnerability could also be used to launch  
cross site request forgery (XSRF) attacks against the site that could  
have other unexpected consequences.  
  
Mitigating factors:  
- -------------------  
In order to exploit this vulnerability the attacker must have  
credentials to an authorized account that has been assigned the  
'administer custom pagers' permission. This could be accomplished via  
social engineering, brute force password guessing, or abuse or  
legitimate credentials.  
  
Proof of concept:  
- -----------------  
1. Install Drupal, and the Custom Pager module  
2. Navigate to the Custom pagers administration page at  
?q=admin/build/custom_pagers  
3. Click the 'Add a new custom pager' link or go to  
?q=admin/build/custom_pagers/add  
4. For the 'Title' of the new page enter "<script>alert('xss');</script>"  
5. Enter arbitrary values for the rest of the form and click the  
'Submit' button  
6. Observe the persistent XSS at ?q=admin/build/custom_pagers  
  
  
Patch:  
- ------------------------------------------  
Applying the following patch mitigates this issue in version 5.x-1.9  
  
- --- custom_pagers/custom_pagers.module 2007-08-16 09:49:33.000000000 -0400  
+++ custom_pagers/custom_pagers.module 2011-01-31 16:33:08.657233745 -0500  
@@ -132,7 +132,7 @@ function custom_pagers_page() {  
$rows = array();  
foreach ($pagers as $pager) {  
$row = array();  
- - $row[] = $pager->title;  
+ $row[] = check_plain($pager->title);  
$row[] = !empty($pager->list_php) ? t('PHP snippet') : $pager->view  
. t(' view');  
$row[] = !empty($pager->visibility_php) ? t('PHP snippet') :  
$pager->node_type . t(' nodes');  
$row[] = l(t('edit'), 'admin/build/custom_pagers/edit/' .  
$pager->pid);  
  
  
Applying the following patch mitigates this issue in version 6.x-1.0-beta2  
  
- --- custom_pagers/custom_pagers.admin.inc 2010-01-17 17:57:39.000000000  
- -0500  
+++ custom_pagers/custom_pagers.admin.inc 2011-01-31 16:36:10.967026063  
- -0500  
@@ -15,7 +15,7 @@ function custom_pagers_page() {  
$rows = array();  
foreach ($pagers as $pager) {  
$row = array();  
- - $row[] = $pager->title;  
+ $row[] = check_plain($pager->title);  
$row[] = !empty($pager->list_php) ? t('PHP snippet') :  
t('%view_name view', array('%view_name' => $pager->view));  
$row[] = !empty($pager->visibility_php) ? t('PHP snippet') :  
t('%node_type nodes', array('%node_type' => $pager->node_type));  
$row[] = l(t('edit'), 'admin/build/custom_pagers/edit/' .  
$pager->pid);  
  
  
Vendor Response:  
- ------------------------------------------  
Drupal security team no longer supports vulnerabilities in Drupal 5 and  
explicitly does not support resolution of vulnerabilities in modules  
designated alpha, beta, dev, or other testing release. Module  
maintainer notified in public forums.  
  
Disclosure also posted at http://www.madirish.net/?article=479  
  
- --   
Justin Klein Keane  
http://www.MadIrish.net  
  
The digital signature on this e-mail may be confirmed using the  
PGP key located at: http://www.madirish.net/gpgkey  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.11 (GNU/Linux)  
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/  
  
iPwEAQECAAYFAk1HMegACgkQkSlsbLsN1gCTigb/Xj3RJjyzB1vYt5mQlhh5UJBe  
NA+2mg3zn5t18taTS3Z/tbS5RcchLk2wsf87Afh/MvRDvIJIukkFJtH6X0HXVamx  
fz8//sDiriSbz6729i2wLo0cy1ei/rBZLVKfGGRqvOrPiI/TBO69xhTdkEYXXSob  
tbKzJzFCfTv8qn+EVXOzeAzXrk2VMnMUpJ5uNv4aBoVfMPTJ7SgnKf2x1CGYYhNA  
WFsvczG6mPQ1Q5Z3L+Lt+VIxgcC3u+Bf/WDZ1GxntyOOqvUjaebpv5YyeMlkLqju  
alZDmoTqjHy8w7WNqhE=  
=dxhm  
-----END PGP SIGNATURE-----  
  
`