The Custom Pagers module contains an arbitrary HTML injection vulnerability (also known as cross site scripting, or XSS) due to the fact that it fails to sanitize Custom Pagers names before display in the administrative back end interface.

Systems affected:
-----------------
Drupal 5.21 with Custom Pagers 5.x-1.9, and Drupal 6.19 with Custom Pagers 6.x-1.0-beta2 were tested and shown to be vulnerable

Impact
------
User could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise. A more likely scenario would be for an attacker to inject hidden content (such as iframes, applets, or embedded objects) that would attack client browsers in an attempt to compromise site users' machines. This vulnerability could also be used to launch cross site request forgery (XSRF) attacks against the site that could have other unexpected consequences.

Mitigating factors:
-------------------
In order to exploit this vulnerability the attacker must have credentials to an authorized account that has been assigned the 'administer custom pagers' permission. This could be accomplished via social engineering, brute force password guessing, or abuse or legitimate credentials.

Proof of concept:
-----------------
Available at http://www.madirish.net/?article=479

Patch:
------------------------------------------
Applying the following patch mitigates this issue in version 5.x-1.9

--- custom_pagers/custom_pagers.module 2007-08-16 09:49:33.000000000 -0400
+++ custom_pagers/custom_pagers.module 2011-01-31 16:33:08.657233745 -0500
@@ -132,7 +132,7 @@ function custom_pagers_page() {
$rows = array();
foreach ($pagers as $pager) {
$row = array();
- $row[] = $pager->title;
+ $row[] = check_plain($pager->title);
$row[] = !empty($pager->list_php) ? t('PHP snippet') : $pager->view . t(' view');
$row[] = !empty($pager->visibility_php) ? t('PHP snippet') : $pager->node_type . t(' nodes');
$row[] = l(t('edit'), 'admin/build/custom_pagers/edit/' . $pager->pid);

Applying the following patch mitigates this issue in version 6.x-1.0-beta2

--- custom_pagers/custom_pagers.admin.inc 2010-01-17 17:57:39.000000000 -0500
+++ custom_pagers/custom_pagers.admin.inc 2011-01-31 16:36:10.967026063 -0500
@@ -15,7 +15,7 @@ function custom_pagers_page() {
$rows = array();
foreach ($pagers as $pager) {
$row = array();
- $row[] = $pager->title;
+ $row[] = check_plain($pager->title);
$row[] = !empty($pager->list_php) ? t('PHP snippet') : t('%view_name view', array('%view_name' => $pager->view));
$row[] = !empty($pager->visibility_php) ? t('PHP snippet') : t('%node_type nodes', array('%node_type' => $pager->node_type));
$row[] = l(t('edit'), 'admin/build/custom_pagers/edit/' . $pager->pid);

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

greggles’s picture

Version: 5.x-1.9 » 6.x-1.x-dev

This seems more important for the 6.x so I'm marking this as relevant for that release.

Also subscribing.

kmonty’s picture

Version: 6.x-1.x-dev » 7.x-1.x-dev
Priority: Normal » Critical

I believe this is also an issue in d7.

greggles’s picture

Note: this issue was cleared with the security team prior to being published here and can be published openly because of the project's policy on which releases get private advisory treatment.

greggles’s picture

spidersilk’s picture

In D7, the problem code is on line 20 of custom_pagers.admin.inc:

$row[] = $pager->title;

It should be able to be fixed by changing that to:

$row[] = check_plain($pager->title);

Correct?

If so, I'll try to make a patch for it. Haven't ever made one before, but it's probably time I learned...

spidersilk’s picture

OK, first time I've made a patch (or used Git at all, for that matter), but here goes. This is for 7.x-1.x-dev.

spidersilk’s picture

Status: Active » Needs review