Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Description of Vulnerability:
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL.
The Drupal Book Block module (https://drupal.org/project/bookblock) allows users to create a
block on their page that can generate an individual menu block for each of a site's books.
These blocks can then be administered as any other block to appear on the pages you choose.
The Book Block module contains a persistent script injection vulnerability (XSS) on its admin
page that fails to properly sanitize the titles of books.
Systems Affected:
Drupal 6.26 with Book Block 6.x-1.0-beta1 was tested and shown to be vulnerable.
Impact:
Users who have the ability to create books on the website can inject arbitrary script into
book titles. This script will execute whenever a user navigates to /admin/content/book/blocks.
This could lead to privilege escalation, account compromise or other attacks. This exploit
affects
Mitigating Factors:
In order to insert a malicious script into the database, access to a valid user account with
the ability to create Book nodes is required.
Proof of Concept:
1. Install and enable the Book Block module
2. Navigate to /node/add and click "Book page" to create a new book page
3. Enter '<script>alert('XSS Vulnerablity')</script>' into the "title" field, then fill in the
"body" field arbitrarily and press "Save"
4. Navigate to /admin/content/book/blocks to view the rendered JavaScript
Patch:
The following patch mitigates this vulnerability:
$ diff -ruN bookblock.admin.inc patchedbookblock.admin.inc
--- bookblock.admin.inc 2010-07-01 08:31:50.000000000 -0400
+++ patchedbookblock.admin.inc 2012-07-06 11:07:49.956360960 -0400
@@ -13,7 +13,7 @@
* @ingroup forms
*/
function bookblock_admin_settings() {
- $books = book_get_books();
+ $books = array_map("check_plain",book_get_books());
if ($books) {
foreach ($books as $book) {
if (!$book['has_children']) {
@@ -31,4 +31,4 @@
$form['array_filter'] = array('#type' => 'value', '#value' => TRUE);
return system_settings_form($form);
}
-}
\ No newline at end of file
+}Vendor Response:
This security issue has been reported here in full disclosure because this module is still in BETA form. The
Drupal Security Team currently only supports stable releases, as stated on the Drupal website:
Which Releases Get Security Advisories?
Security Advisories are only made for issues affecting stable releases (Y.x-Z.0 or higher) in the supported major
version branches (at the time of writing Drupal 6.x and Drupal 7.x). That means no security advisories for development
releases (-dev), ALPHAs, BETAs or RCs.
(Source)
Because the Drupal Security Team refuses to handle issues such as this, it has been posted in the public issue queue.
***Discovered by Zach Alexander***
gr33tz 2 Justin C. Klein Keane (www.madirish.net)
Comments
Comment #0.0
zalexander CreditAttribution: zalexander commentedVendor Response section added
Comment #1
mcjim CreditAttribution: mcjim commentedThank you!
I've committed a fix and rolled a beta2 release, which should appear shortly.
Comment #2
mcjim CreditAttribution: mcjim commentedAlso pushed the change to the 7.x-1.0 branch.
Comment #3.0
(not verified) CreditAttribution: commentedFormatting