Service Links 6.x-1.0 XSS Vulnerability
| Project: | Service links |
| Version: | 6.x-1.0 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Description of Vulnerability:
- - -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Service links module (http://drupal.org/project/service_links) "enables admins to add links to a number of social bookmarking sites, blog search sites etc. "
The Service Links module contains a cross site scripting vulnerability because it does not properly sanitize output of content type names before display.
Systems affected:
- - -----------------
Drupal 6.14 with Service links 6.x-1.0 was tested and shown to be vulnerable.
Impact:
- - -------
XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.
Mitigating factors:
- - -------------------
The Service links module must be installed. To carry out a Site map based XSS exploit the attacker must have 'administer content types' permissions.
Proof of Concept:
- ---------------------
1. Install Drupal 6.14
2. Install Service links 6.x-1.0
3. Enable the Service links module from Administer -> Site building -> Modules
4. Create a new Content type from Administer -> Content management -> Content types and click 'Add content type'
5. For the 'name' field enter "alert('xss');" and save the content type
6. Click Administer -> Site configuration -> Service links to trigger the JavaScript
Technical details:
- ------------------------
The Service links module fails to sanitize the output of the content type names before display. Applying the following patch fixes this vulnerability.
Patch
- -------
Applying the following patch mitigates these threats.
--- service_links/service_links.module 2008-02-26 12:01:27.000000000 -0500
+++ service_links_fixed/service_links.module 2009-10-02 06:33:21.000000000 -0400
@@ -35,11 +35,12 @@ function service_links_admin_settings()
'#title' => t('Where to show the service links'),
'#description' => t('Set the node types and categories you want to display links for.'),
);
+ $names = array_map('filter_xss', node_get_types('names'));
$form['where_to_show_the_links']['service_links_node_types'] = array(
'#type' => 'checkboxes',
'#title' => t('Node types'),
'#default_value' => variable_get('service_links_node_types', array()),
- '#options' => node_get_types('names'),
+ '#options' => $names,
);
if (module_exists('taxonomy')) {
$form['where_to_show_the_links']['service_links_category_types'] = array(
| Attachment | Size |
|---|---|
| service_links-6.x-1.0.patch | 833 bytes |