Problem: FeedsProcessor::createLogMessage() copies user provided content from entities and Feeds items unsanitized to the log. An attacker can supply a feed with malicious content which can trigger XSS exploits in the admin interface when a View of Feeds log messages is configured.

Proposed solutions: separate log message from user provided variables to prevent XSS attacks.

CommentFileSizeAuthor
#1 feeds-log-xss-2502419-1.patch1.6 KBklausi
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
CreditAttribution: klausi at jobiqo - job board technology commented
Status: Active » Needs review
FileSize
feeds-log-xss-2502419-1.patch1.6 KB

Patch attached.

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
CreditAttribution: klausi at jobiqo - job board technology commented

Oh and I used this update function to get rid of potentially malicious log messages in the DB:

/**
 * Delete long and potentially dangerous feeds log messages.
 */
function recruiter_job_import_update_7003() {
  db_delete('feeds_log')
    ->condition('message', '%<h3>Original item</h3>%', 'LIKE')
    ->execute();
}

Not sure if this is the right approach for Feeds, so I implemented this in a custom recruiter module for now.

MegaChriz’s picture

MegaChriz CreditAttribution: MegaChriz commented
Related issues: +#2246755: PHP Fatal error: Nesting level too deep - recursive dependency?

In #1953008: PHP Fatal error: Nesting level too deep - recursive dependency? in FeedsProcessor.inc on line 199 there is a patch that also fixes security issues for the log message. I haven't checked yet if it also fixes the whole problem described here, so maybe the two solutions need to be merged.

MegaChriz’s picture

MegaChriz CreditAttribution: MegaChriz commented
Related issues: -#2246755: PHP Fatal error: Nesting level too deep - recursive dependency?

  • twistor committed 09a9c1b on 7.x-2.x authored by klausi 
    Issue #2502419 by klausi: Log messages XSS attack vector
twistor’s picture

twistor CreditAttribution: twistor commented
Status: Needs review » Fixed

I've committed the simplest fix for this for alpha-9, which is just going to be a collection of security patches. We can continue the proper fix in other issues.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.