[Full-disclosure] Drupal 6.12 (core) User Module XSS Vulnerability

Type securityvulns
Reporter Securityvulns
Modified 2009-05-21T00:00:00



Details of this disclosure have been posted at http://lampsecurity.org/drupal-role-xss-vulnerability

Vendor Notified: 05/19/09 Vendor Response: Drupal security team responds that this vulnerability has been publicly disclosed since October 2, 2008 and it is not considered a "security risk." Ref: http://drupal.org/node/316136.

Description of Vulnerability

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through hundreds of third party modules. The user module is provided as part of the Drupal 6 core modules and contains a cross site scripting (XSS) vulnerability that can allow users with the 'administer permissions' permission to inject arbitrary HTML into role names. Users with 'administer permissions' permission could create new roles containing malicious JavaScript and silently attack site administrators. While users with this permission could elevate the permissions of their own role using permissions they have been granted, this flaw could allow for a "stealth" attack vector.

Systems Affected

Drupal 6.12 was tested and shown to be vulnerable


Authenticated users with 'administer permissions' can exploit this vulnerability to attack other users with privileges to view roles.

Mitigating factors:

Attacker must have 'administer permissions' permissions in order to exploit this vulnerability. Having this permission would allow a user to elevate permissions of their own role so this vulnerability would represent a more subtle attack vector.

Proof of concept:

  1. Install Drupal 6.12.
  2. Click Administer -> User management -> Roles
  3. Enter "<script>alert('xss');</script>" in the "Name" textarea
  4. Click the "Add Role" button
  5. Observe JavaScript alert


Note that this XSS affects several other functions in the Drupal 6 administrative back end.

Justin C. Klein Keane http://www.MadIrish.net http://LAMPSecurity.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org

iPwEAQECAAYFAkoTMxUACgkQkSlsbLsN1gCj7gb+J8Dtp8UkC/JvWlqjNvq0Geoy 2iBxGZc98m4DLGf6wqeQ5aeEMUMvITEB6MA3AKfha6p55fnL3Y3eQoydCM8CeKkB Zianya35NiJfZnAvesAYJuvYCGZHs7prSg3FhFHsLCEAXv1oWb6yAbGXK6dxGd+7 ljeMOjfKCvRbcFq+Pf9WsCBSXp++5MrVU1Tfz8MH4Q62Ku6ln42ZqC5v4exrG4vR THmPaIL74M0vxJbv/gvvXkEOplEvGyWUn20GDiMjk+tzJLQw76JvUt+VlBXdI0mB Wb1QZJnu1lAqK1SDYOU= =J8AK -----END PGP SIGNATURE-----

Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/