Drupal Wikitools 6.x-1.2 and 5.x-1.3 XSS Vulnerability

Description of Vulnerability:
- - -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Wikitools module (http://drupal.org/project/wikitools) "provides some settings to get a more wiki-like behavior. It aims to be lightweight; all features are optional, and it provides no database tables of its own."

The Wikitools module contains a cross site scripting vulnerability because it does not properly sanitize output of content types before display.

Systems affected:
- - -----------------
Wikitools 6.x-1.2 and 5.x-1.3 were tested and shown to be vulnerable.

Impact:
- - -------
XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.

Mitigating factors:
- - -------------------
The Wikitools module must be installed. To carry out a Site map based XSS exploit the attacker must have 'administer content type' permissions.

Proof of Concept:
- ---------------------
1. Install Drupal
2. Install Wikitools
3. Create a new content type from Administer -> Content management -> Content types -> Add content type
4. Enter "

" for the content type name and save the new content type
5. Enable the Wikitools module from Administer -> Site Building -> Modules
6. Click on Administer -> Site configuration -> Wikitools to observe the JavaScript

Technical details:
- ------------------------
The Wikitools module fails to sanitize the output of content type names before display, leading to an arbitrary HTML injection vulnerability.

Patch for wikitools 5.x-1.3
---------------------------
Applying the following patch mitigates these threats in Wikitools 5.x-1.3.

--- wikitools/wikitools.module 2009-03-25 15:15:47.000000000 -0400
+++ wikitools.fixed/wikitools.module 2009-10-09 12:04:03.055556867 -0400
@@ -132,7 +132,7 @@ function wikitools_admin_settings() {
$form['wikitools_node_types'] = array(
'#type' => 'checkboxes',
'#title' => t('Wiki node types'),
- '#options' => node_get_types('names'),
+ '#options' => array_map('filter_xss', node_get_types('names')),
'#size' => count(node_get_types('names')),
'#default_value' => wikitools_node_types(),
'#multiple' => TRUE,

Patch for wikitools 6.x-1.2
---------------------------
Applying the following patch mitigates these threats in Wikitools 6.x-1.2.

--- wikitools/wikitools.admin.inc 2009-06-17 23:57:33.000000000 -0400
+++ wikitools/wikitools.admin.inc 2009-10-09 14:38:06.020099834 -0400
@@ -37,7 +37,7 @@ function wikitools_admin_settings() {
$form['wikitools_node_types'] = array(
'#type' => 'checkboxes',
'#title' => t('Wiki node types'),
- '#options' => node_get_types('names'),
+ '#options' => array_map('filter_xss', node_get_types('names')),
'#default_value' => wikitools_node_types(),
'#multiple' => TRUE,
'#description' => t('Select the node types which will be affected by the specified options. If you select multiple node types, all nodes of these types will be searched for when a wikipath is entered. If a wikipage doesn\'t exist, an option to create any of these types will be given.'),

Vendor Response
---------------

In the past the vendor has responded that vulnerabilities requiring 'administer content types' privileges have already been addressed by SA-CORE-2009-002 (http://drupal.org/node/372836) and thus are not classified as security vulnerabilities, but rather as bugs.