Drupal Book Block 6.x-1.0-beta1 Cross Site Scripting
2012-07-12T00:00:00
ID 1337DAY-ID-18974 Type zdt Reporter Zach Alexander Modified 2012-07-12T00:00:00
Description
Exploit for php platform in category web applications
Drupal Book Block 6.x-1.0-beta1 XSS Vulnerability
Project: Book Block
Version: 6.x-1.0-beta1
Component: Code
Category: bug report
Priority: major
Assigned: mcjim
Status: fixed
Issue tags: patch, security, vulnerability, xss
Issue Summary
Description of Vulnerability:
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL.
The Drupal Book Block module (https://drupal.org/project/bookblock) allows users to create a
block on their page that can generate an individual menu block for each of a site's books.
These blocks can then be administered as any other block to appear on the pages you choose.
The Book Block module contains a persistent script injection vulnerability (XSS) on its admin
page that fails to properly sanitize the titles of books.
Systems Affected:
Drupal 6.26 with Book Block 6.x-1.0-beta1 was tested and shown to be vulnerable.
Impact:
Users who have the ability to create books on the website can inject arbitrary script into
book titles. This script will execute whenever a user navigates to /admin/content/book/blocks.
This could lead to privilege escalation, account compromise or other attacks. This exploit
affects
Mitigating Factors:
In order to insert a malicious script into the database, access to a valid user account with
the ability to create Book nodes is required.
Proof of Concept:
1. Install and enable the Book Block module
2. Navigate to /node/add and click "Book page" to create a new book page
3. Enter '<script>alert('XSS Vulnerablity')</script>' into the "title" field, then fill in the "body" field arbitrarily and press "Save"
4. Navigate to /admin/content/book/blocks to view the rendered JavaScript
Patch:
The following patch mitigates this vulnerability:
$ diff -ruN bookblock.admin.inc patchedbookblock.admin.inc
--- bookblock.admin.inc 2010-07-01 08:31:50.000000000 -0400
+++ patchedbookblock.admin.inc 2012-07-06 11:07:49.956360960 -0400
@@ -13,7 +13,7 @@
* @ingroup forms
*/
function bookblock_admin_settings() {
- $books = book_get_books();
+ $books = array_map("check_plain",book_get_books());
if ($books) {
foreach ($books as $book) {
if (!$book['has_children']) {
@@ -31,4 +31,4 @@
$form['array_filter'] = array('#type' => 'value', '#value' => TRUE);
return system_settings_form($form);
}
-}
\ No newline at end of file
+}
# 0day.today [2018-02-05] #
{"hash": "1f444cd7ddbe7ee777f818d9a91c16410d11ad8d87774f47f4bbfa1ba8616c00", "id": "1337DAY-ID-18974", "lastseen": "2018-02-06T01:15:13", "viewCount": 0, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "24c85305d64c09d46962eeccb8ec4c33", "key": "href"}, {"hash": "8ac454b5f920aa5aafe4bce87d905aee", "key": "modified"}, {"hash": "8ac454b5f920aa5aafe4bce87d905aee", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "00b3fc7464d68df28b53490853fd5ca5", "key": "reporter"}, {"hash": "fe13d11309408703bcdc701b172cb3e8", "key": "sourceData"}, {"hash": "a0364b69665c9abb04e4e257fc42a34f", "key": "sourceHref"}, {"hash": "68539178a0cb648059c841b069eb9f5f", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}, "vulnersScore": 4.3}, "type": "zdt", "sourceHref": "https://0day.today/exploit/18974", "description": "Exploit for php platform in category web applications", "title": "Drupal Book Block 6.x-1.0-beta1 Cross Site Scripting", "history": [{"bulletin": {"hash": "a5b9f934dc9cd07c5a5dbf254d4ba8b6cfdb887563b7523034c7fe70752ec1b8", "id": "1337DAY-ID-18974", "lastseen": "2016-04-20T02:05:44", "enchantments": {"score": {"value": 3.5, "modified": "2016-04-20T02:05:44"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "68539178a0cb648059c841b069eb9f5f", "key": "title"}, {"hash": "8ac454b5f920aa5aafe4bce87d905aee", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8ac454b5f920aa5aafe4bce87d905aee", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00b3fc7464d68df28b53490853fd5ca5", "key": "reporter"}, {"hash": "c6f3d29e24ba40c31b66cfcaf066cc18", "key": "sourceData"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "c0baf5b4b6711bdd0de88e108a7e5943", "key": "sourceHref"}, {"hash": "3777d747509eb9e294a85d1fbf964dbf", "key": "href"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/18974", "description": "Exploit for php platform in category web applications", "viewCount": 0, "title": "Drupal Book Block 6.x-1.0-beta1 Cross Site Scripting", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "\r\nDrupal Book Block 6.x-1.0-beta1 XSS Vulnerability\r\n\r\nProject: Book Block\r\nVersion: 6.x-1.0-beta1\r\nComponent: Code\r\nCategory: bug report\r\nPriority: major\r\nAssigned: mcjim\r\nStatus: fixed\r\nIssue tags: patch, security, vulnerability, xss\r\n\r\nIssue Summary\r\n\r\nDescription of Vulnerability:\r\n\r\nDrupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL.\r\nThe Drupal Book Block module (https://drupal.org/project/bookblock) allows users to create a\r\nblock on their page that can generate an individual menu block for each of a site's books.\r\nThese blocks can then be administered as any other block to appear on the pages you choose.\r\nThe Book Block module contains a persistent script injection vulnerability (XSS) on its admin\r\npage that fails to properly sanitize the titles of books.\r\nSystems Affected:\r\n\r\nDrupal 6.26 with Book Block 6.x-1.0-beta1 was tested and shown to be vulnerable.\r\n\r\nImpact:\r\n\r\nUsers who have the ability to create books on the website can inject arbitrary script into\r\nbook titles. This script will execute whenever a user navigates to /admin/content/book/blocks.\r\nThis could lead to privilege escalation, account compromise or other attacks. This exploit\r\naffects\r\n\r\nMitigating Factors:\r\n\r\nIn order to insert a malicious script into the database, access to a valid user account with\r\nthe ability to create Book nodes is required.\r\n\r\nProof of Concept:\r\n\r\n1. Install and enable the Book Block module\r\n2. Navigate to /node/add and click \"Book page\" to create a new book page\r\n3. Enter '<script>alert('XSS Vulnerablity')</script>' into the \"title\" field, then fill in the \"body\" field arbitrarily and press \"Save\"\r\n4. Navigate to /admin/content/book/blocks to view the rendered JavaScript\r\n\r\nPatch:\r\n\r\nThe following patch mitigates this vulnerability:\r\n\r\n$ diff -ruN bookblock.admin.inc patchedbookblock.admin.inc\r\n--- bookblock.admin.inc 2010-07-01 08:31:50.000000000 -0400\r\n+++ patchedbookblock.admin.inc 2012-07-06 11:07:49.956360960 -0400\r\n@@ -13,7 +13,7 @@\r\n * @ingroup forms\r\n */\r\nfunction bookblock_admin_settings() {\r\n- $books = book_get_books();\r\n+ $books = array_map(\"check_plain\",book_get_books());\r\n if ($books) {\r\n foreach ($books as $book) {\r\n if (!$book['has_children']) {\r\n@@ -31,4 +31,4 @@\r\n $form['array_filter'] = array('#type' => 'value', '#value' => TRUE);\r\n return system_settings_form($form);\r\n }\r\n-}\r\n\\ No newline at end of file\r\n+}\r\n\n\n# 0day.today [2016-04-20] #", "published": "2012-07-12T00:00:00", "references": [], "reporter": "Zach Alexander", "modified": "2012-07-12T00:00:00", "href": "http://0day.today/exploit/description/18974"}, "lastseen": "2016-04-20T02:05:44", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "Drupal Book Block 6.x-1.0-beta1 XSS Vulnerability\r\n\r\nProject: Book Block\r\nVersion: 6.x-1.0-beta1\r\nComponent: Code\r\nCategory: bug report\r\nPriority: major\r\nAssigned: mcjim\r\nStatus: fixed\r\nIssue tags: patch, security, vulnerability, xss\r\n\r\nIssue Summary\r\n\r\nDescription of Vulnerability:\r\n\r\nDrupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL.\r\nThe Drupal Book Block module (https://drupal.org/project/bookblock) allows users to create a\r\nblock on their page that can generate an individual menu block for each of a site's books.\r\nThese blocks can then be administered as any other block to appear on the pages you choose.\r\nThe Book Block module contains a persistent script injection vulnerability (XSS) on its admin\r\npage that fails to properly sanitize the titles of books.\r\nSystems Affected:\r\n\r\nDrupal 6.26 with Book Block 6.x-1.0-beta1 was tested and shown to be vulnerable.\r\n\r\nImpact:\r\n\r\nUsers who have the ability to create books on the website can inject arbitrary script into\r\nbook titles. This script will execute whenever a user navigates to /admin/content/book/blocks.\r\nThis could lead to privilege escalation, account compromise or other attacks. This exploit\r\naffects\r\n\r\nMitigating Factors:\r\n\r\nIn order to insert a malicious script into the database, access to a valid user account with\r\nthe ability to create Book nodes is required.\r\n\r\nProof of Concept:\r\n\r\n1. Install and enable the Book Block module\r\n2. Navigate to /node/add and click \"Book page\" to create a new book page\r\n3. Enter '<script>alert('XSS Vulnerablity')</script>' into the \"title\" field, then fill in the \"body\" field arbitrarily and press \"Save\"\r\n4. Navigate to /admin/content/book/blocks to view the rendered JavaScript\r\n\r\nPatch:\r\n\r\nThe following patch mitigates this vulnerability:\r\n\r\n$ diff -ruN bookblock.admin.inc patchedbookblock.admin.inc\r\n--- bookblock.admin.inc 2010-07-01 08:31:50.000000000 -0400\r\n+++ patchedbookblock.admin.inc 2012-07-06 11:07:49.956360960 -0400\r\n@@ -13,7 +13,7 @@\r\n * @ingroup forms\r\n */\r\nfunction bookblock_admin_settings() {\r\n- $books = book_get_books();\r\n+ $books = array_map(\"check_plain\",book_get_books());\r\n if ($books) {\r\n foreach ($books as $book) {\r\n if (!$book['has_children']) {\r\n@@ -31,4 +31,4 @@\r\n $form['array_filter'] = array('#type' => 'value', '#value' => TRUE);\r\n return system_settings_form($form);\r\n }\r\n-}\r\n\\ No newline at end of file\r\n+}\r\n\n\n# 0day.today [2018-02-05] #", "published": "2012-07-12T00:00:00", "references": [], "reporter": "Zach Alexander", "modified": "2012-07-12T00:00:00", "href": "https://0day.today/exploit/description/18974"}
