Drupal Panels Cross Site Scripting

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Description of Vulnerability:  
- -----------------------------  
Drupal (http://drupal.org) is a robust content management system (CMS)  
written in PHP and MySQL. The Drupal Panels module  
(http://drupal.org/project/panels) "allows a site administrator to  
create customized layouts for multiple uses. At its core it is a drag  
and drop content manager that lets you visually design a layout and  
place content within that layout." Unfortunately the Panels module  
contains an arbitrary HTML injection vulnerability (also known as cross  
site scripting, or XSS) due to the fact that it fails to sanitize div  
classes and id specifications for panels before display.  
  
Systems affected:  
- -----------------  
Drupal 5.21 with Panels 5.x-1.2 was tested and shown to be vulnerable  
  
Impact  
- ------  
User could inject arbitrary scripts into pages affecting site users.  
This could result in administrative account compromise leading to web  
server process compromise. A more likely scenario would be for an  
attacker to inject hidden content (such as iframes, applets, or embedded  
objects) that would attack client browsers in an attempt to compromise  
site users' machines. This vulnerability could also be used to launch  
cross site request forgery (XSRF) attacks against the site that could  
have other unexpected consequences.  
  
Mitigating factors:  
- -------------------  
In order to exploit this vulnerability the attacker must have  
credentials to an authorized account that has been assigned the 'use  
page manager' and 'administer advanced pane settings' permissions. This  
could be accomplished via social engineering, brute force password  
guessing, or abuse or legitimate credentials.  
  
Proof of concept:  
- -----------------  
1. Install Drupal 5, Panels 5.x-1.2 and Ctools module (a prerequisite)  
2. Enable the Panels module and the page manager in Ctools from  
?q=/admin/build/modules  
3. Administer panels from ?q=/admin/build/panels and click on the  
'Panel page' link on the left  
4. Check 'Make this your site home page' and fill in arbitrary values  
for the rest  
5. In the resulting screen  
(?q=admin/build/pages/add/page-[page_name]/next) select the 'Flexible'  
and 'Builders' from the Category drop down  
6. Click continue  
7. Enter arbitrary values in the resulting form  
8. Click finish then 'Update and save'  
9. In the Panel Content designer  
(?q=admin/build/pages/nojs/operation/page-[page_name]/handlers/page_[page_name]_panel_context/content  
click the gear in the 'Center' region  
10. Select 'Add content'  
11. Select 'Existing node' and enter the nid of an existing node.  
12. Click the gear to the right of the header in the new box preview of  
the node  
13. Select 'CSS Properties'  
14. In the shadow box that pops up enter  
'"><script>alert('xss1');</script><div id="' for the 'CSS ID'  
15. Enter '"><script>alert('xss1');</script><div id="' for the 'CSS class'  
16. Click 'Update and preview' to observe the Javascript alerts  
17. Click 'Save' to store these values so they are displayed on the  
home page  
  
  
Patch:  
- ------------------------------------------  
Applying the following patch mitigates this issue in version 5.x-1.2  
  
- --- modules/panels/content_types/custom.inc 2007-03-15  
19:13:41.000000000 -0400  
+++ modules/panels/content_types/custom.inc 2011-01-14  
12:04:23.371814132 -0500  
@@ -16,8 +16,8 @@ function panels_custom_panels_content_ty  
*/  
function panels_content_custom($conf) {  
$title = filter_xss_admin($conf['title']);  
- - $css_id = filter_xss_admin($conf['css_id']);  
- - $css_class = filter_xss_admin($conf['css_class']);  
+ $css_id = str_replace('"', '', filter_xss_admin($conf['css_id']));  
+ $css_class = str_replace('"', '', filter_xss_admin($conf['css_class']));  
$body = check_markup($conf['body'], $conf['format'], FALSE);  
return theme('panels_content_custom', $title, $body, $css_id,  
$css_class);  
}  
  
Vendor Response:  
- ------------------------------------------  
Drupal security team no longer supports resolution of vulnerabilities in  
Drupal 5. Module maintainer notified in public forums.  
  
Details of this vulnerability are also posted at  
http://www.madirish.net/?article=478  
  
- --   
Justin Klein Keane  
http://www.MadIrish.net  
  
The digital signature on this e-mail may be confirmed using the  
PGP key located at: http://www.madirish.net/gpgkey  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.11 (GNU/Linux)  
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/  
  
iPwEAQECAAYFAk1HLrEACgkQkSlsbLsN1gA8dAb+KWZ4opsQLGLe8lseM0JNxigK  
2GUACkPq6kuAIarYcpogWLE8AbQEpNTtLTOgSnHtYMV69FBaDibgwY/ZLBP9JsNC  
5iKopCmvEAp8CB9LC/jSFffoiIBNUFJmmFl8Zk+elMbN4uDgApLpUA67iIxrGH1e  
8K8iC8a7j13WTdh6a13x3+GVO7ezfVrlxoRKLJWX/S+LmWfFAwO0oPSom7aH0Kpl  
CewLQgi/p13kTNmyeMmjLdzUaboQpRetzv3PWuZR/+m9FC9CP1I9hwhQCaE4R1WK  
NMJ0Aj9V/k1eY5Giezg=  
=uoO2  
-----END PGP SIGNATURE-----  
  
`