Description of Vulnerability:
-----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules. The CCK module (http://drupal.org/project/cck)
"allows you to add custom fields to nodes using a web browser."

The CCK module version 5.x-1.10 contains a cross site scripting
vulnerability because it does not properly sanitize output of group
labels before display.

Systems affected:
- - - -----------------
Drupal 5.19 with CCK 5.x-1.10 was tested and shown to be vulnerable.

Impact:
- - - -------
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.

Mitigating factors:
- - - -------------------
The CCK module must be installed. To carry out a CCK based XSS exploit
the attacker must have 'administer content types' permission.

Proof of Concept:
- - ---------------------
1. Install Drupal 5
2. Install CCK 5.x-1.10
3. Enable the CCK module from Administer -> Site building -> Modules
and enable all CCK modules
4. From Administer -> Content management -> Content types and click the
'edit' link next to the 'Page' content type
5. Click the 'Add group' tab at the top
6. Enter "

alert('xss');

" as the label and save the
group by clicking the 'Add' button at the bottom of the form
7. On form submission you ill be redirected to
/?q=admin/content/types/page/fields and the JavaScript will be rendered
and execute three times.

Technical details:
- - ------------------------
The CCK module fails to sanitize the output of the CCK group label
before display on lines 248 and 285 of content_admin.inc. Applying the
following patch fixes this vulnerability.

Patch
- - -------
Applying the following patch mitigates these threats.

$ diff -up cck/content_admin.inc cck_fixed/content_admin.inc
- --- cck/content_admin.inc 2008-09-03 09:45:05.000000000 -0400
+++ cck_fixed/content_admin.inc 2009-10-01 15:35:04.364195774 -0400
@@ -245,7 +245,7 @@ function theme_content_admin_field_overv
$row[] = drupal_render($form['field-groups'][$fname]);
break;
default:
- - $row[] = array('data' => $cell, 'class' => $class);
+ $row[] = array('data' => filter_xss($cell), 'class' =>
$class);
}
}

@@ -282,7 +282,7 @@ function theme_content_admin_field_overv

// add the group row in its own table above the group
fields table, then reset $row().
$fieldset = array(
- - '#title' => t('!label (!name)', array('!label' =>
$form['#group_labels'][$fname], '!name' => $fname)),
+ '#title' => t('!label (!name)', array('!label' =>
filter_xss($form['#group_labels'][$fname]), '!name' => $fname)),
'#collapsible' => TRUE,
'#collapsed' => FALSE,
'#value' => theme('table', array(), array(array('data' =>
$row, 'class' => 'content-field-overview-group'))) . theme('table',
$header, $grows),

CommentFileSizeAuthor
cck-5.x-1.10.patch1.2 KBJustin_KleinKeane

Comments

drumm’s picture

Security team response:

Since this vulnerability requires the Administer Content Types permission, we don't feel this requires an SA, however it'd be great if you'd post your patch to the issue queue for CCK since we'd still consider it a bug of course.

(by catch)

karens’s picture

Status: Active » Closed (won't fix)

The D5 version is no longer being supported. Sorry.