The Protected Node module fails to properly sanitize user input specified in the 'Password page info' input specified in Administer -> Site Configuration -> Protected Node. Users with the 'administer site configuration' permission can access this page.

Steps to reproduce the exploit:

1. Enable the Protected Node module
2. Set permissions (Administer -> User Management) so anonymous users can access protected content in the protected_node module section
3. Click Administer -> Site Configuration -> Protected node
4. Enter the value

alert('xss');

into the 'Password page info' textarea
5. Create a new piece of content
6. In the 'Protected node' section on the content creation screen check the 'Node is protected' checkbox and enter a password.
7. Save the content.
8. Log out and view the content to trigger the JavaScript

Technical details:

This vulnerability is introduced by a failure to sanitize user input as it is being displayed in the protected_node_enterpassword() function in protected_node.module. Lines 272-274 prints out the user supplied text using the statement:

$form['protected_node'] = array(
'#value' => $info
);

The $info variable should be sanitized using check_plain() or similar function in order to prevent the XSS vulnerability.

Comments

mtolmacs’s picture

mtolmacs commented

Committed the fix. Thank you for letting me know.

mtolmacs’s picture

mtolmacs commented
Status: Active » Fixed
heine’s picture

heine commented

As per SA-CORE-2009-002 Drupal core - Administer content types permission, we do not consider this a security vulnerability.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.