The text of this advisory is also available at http://www.madirish.net/?article=452

Description of Vulnerability (or display bug, depending on your perspective):
---------------------------------------------------------------------------------------------------
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides custom look and feel functionality with themes. The popular Zen theme contains a cross site scripting vulnerability due to the fact that it fails to properly sanitize breadcrumb separators upon display allowing arbitrary script injection.

Systems affected:
----------------
Zen 6.x-1.1 was tested and shown to be vulnerable

Mitigating factors:
-------------------
Attacker must have 'administer site configuration' permissions or write access to the database in order to exploit this vulnerability. Additionally the breadcrumb configuration form limits the length to 10 characters.

Proof of concept:
-----------------
1. Install Drupal 6.16 and the Zen theme.
2. Enable the Zen theme from Administer -> Site building -> Modules
3. Go to Administer -> Site building -> Themes
4. Click on the 'configure' link
5. Enter script in the 'Breadcrumb separator' text area
6. Click the 'Save configuration' button

Patch
-----
Applying the following patch mitigates this threat.

--- zen_fixed/zen/template.php 2010-03-26 10:09:43.718371984 -0400
+++ zen/zen/template.php 2010-03-26 10:09:54.864395793 -0400
@@ -60,7 +60,7 @@ function zen_breadcrumb($breadcrumb) {

// Return the breadcrumb with separators.
if (!empty($breadcrumb)) {
- $breadcrumb_separator = check_plain(theme_get_setting('zen_breadcrumb_separator'));
+ $breadcrumb_separator = theme_get_setting('zen_breadcrumb_separator');
$trailing_separator = $title = '';
if (theme_get_setting('zen_breadcrumb_title')) {
if ($title = drupal_get_title()) {

Comments

Whoops, the diff is actually backwards in the patch, reverse the '+' and '-' for an effective patch.

Status:Active» Closed (won't fix)

From http://drupal.org/node/475848:

Another case where no security announcement is required is when an exploit requires one of the following permissions:

  • Administer filters
  • Administer users
  • Administer permissions
  • Administer content types
  • Administer site configuration

Any user with one of the above permissions can already takeover the site.

Doing a check_plain on that value means site admins can't put html in that field, like character entity references. For example, “→” would be displayed instead of “→”

Additionally, I asked around in IRC and was told “Fixing security holes like that is akin to putting dead bolts on your bathroom door.” Attackers are already in the house.

So I don't see a reason to fix this.

Status:Closed (won't fix)» Needs review

Hello,

you may want to consider a finer grain filter than check_plain() but some filter would definitely be helpful. If an admin uses a "<" or some other XHTML delimiter it can destroy layout and effectively lock the admin out of the site. This is a concern when non-technical admins are manipulating the site and unable to rectify the mayhem that's created when they botch the layout with a bad breadcrumb separator. A quick DB update fixes the issue but many users aren't capable of that level of manipulation. Even if you don't consider this a security problem (I know the Drupal security team doesn't which is why I didn't report to them) it is definitely a display bug - I found it after a user borked a layout and I had to fix it for them. Thanks!

-Justin

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

I agree. It has the added effect of discouraging Drupal site admins from taking security updates seriously.

The mitigating factors in this report are so limiting in fact that the bathroom door analogy doesn't quite do it justice. It's more like trying to prevent house burglars from using your teaset by padlocking your biscuit tin.

For those who rely mostly on the red message box on admin screens in order to be notified in time of the next available security updates for a given site, they're going to have to apply this one and get it out of the way. Some admins will read this report, not bother applying it and consequently apply other more critical fixes late.