Vulnerability Summary Report
Date of Contact: August 18, 2009 10:00 GMT -0400
Author: Justin C. Klein Keane
Disclosure URL:
http://lampsecurity.org/drupal-flag-module-vulnerability
Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Flag module (http://drupal.org/project/flag) "is a flexible flagging system that is completely customizable by the administrator. Using this module, the site administrator can provide any number of flags for nodes, comments, or users. Some possibilities include bookmarks, marking important, friends, or flag as offensive. With extensive views integration, you can create custom lists of popular content or keep tabs on important content."
The Flag module contains a cross site scripting vulnerability because it does not properly sanitize output of role names before display during flag creation.
Systems affected:
- -----------------
Drupal 6.13 with Flag 6.x-1.1 was tested and shown to be vulnerable.
Impact:
- -------
XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.
Mitigating factors:
- -------------------
The Flag module must be installed. To carry out a role based XSS exploit against the module the attacker must be able to inject malicious role names which requires 'administer permissions' or write access to the Drupal database. Only users with permission to 'administer flags' are affected by this vulnerability.
Proof of Concept:
---------------------
1. Install Drupal 6.13
2. Install Flag 6.x-1.1
3. Enable the Flag and Flag actions modules from Administer -> Site building -> Modules
4. Click the Administer -> User Management -> Roles link
5. Enter "
" in the 'Name' textarea and click the 'Add role' button
6. (Note that this triggers a XSS, a vulnerability in 6.13 core)
7. Click Administer -> Site Building -> Flags
8. Click the 'Add' tab
9. Fill in an arbitrary 'Flag name' and click the 'Submit' button
10. Observe the JavaScript alert
Technical details:
------------------------
The Flag module fails to sanitize role names on line 708 of flag.views.inc before display.
Vendor Response:
-----------------
It is the position of Drupal security that "'administer permissions' allows arbitrary permission escalation already, so [...] we do not consider it a security vulnerability."
Patch
-------
Applying the following patch mitigates these threats.
diff -up flag/flag.module flag_fixed/flag.module
--- flag/flag.module 2009-03-14 02:13:54.000000000 -0400
+++ flag_fixed/flag.module 2009-08-18 09:23:37.404047187 -0400
@@ -702,10 +702,11 @@ function flag_form(&$form_state, $name,
$form['roles']['#value'] = $flag->roles;
}
+ $options = array_map('check_plain', node_get_types('names'));
$form['types'] = array(
'#type' => 'checkboxes',
'#title' => t('What nodes this flag may be used on'),
- '#options' => node_get_types('names'),
+ '#options' => $options,
'#default_value' => $flag->types,
'#description' => t('Check any node types that this flag may be used on. You must check at least one node type.'),
'#required' => TRUE,
--
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
| Comment | File | Size | Author |
|---|---|---|---|
| flag.patch | 732 bytes | Justin_KleinKeane |
Comments
Comment #1
dddave commentedComment #2
quicksketchThanks, though this issue should not be reported through the issue queue. See http://drupal.org/node/101494 for the proper procedure to report a security issue. I'm unpublishing this node in the mean time. The solution you've posted looks great though, I'll use it once we get approval from the security team.
Comment #3
quicksketchOh, this was reported some time ago in #483218: role names are not properly sanitized by flag module, which the security has remarked is not considered a security bug which should make releasing the next version with this fix much easier.