Drupal version 6.26 with Book Block version 6.x-1.0-beta1 suffers from a cross site scripting vulnerability.
f9634f63ca64e4955a6dcb078fc3edf1f92c7055f4d7d300f83c4c36269e47a6
Drupal Book Block 6.x-1.0-beta1 XSS Vulnerability
Posted by zalexander on July 9, 2012 at 2:44pm
Project: Book Block
Version: 6.x-1.0-beta1
Component: Code
Category: bug report
Priority: major
Assigned: mcjim
Status: fixed
Issue tags: patch, security, vulnerability, xss
Issue Summary
Description of Vulnerability:
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL.
The Drupal Book Block module (https://drupal.org/project/bookblock) allows users to create a
block on their page that can generate an individual menu block for each of a site's books.
These blocks can then be administered as any other block to appear on the pages you choose.
The Book Block module contains a persistent script injection vulnerability (XSS) on its admin
page that fails to properly sanitize the titles of books.
Systems Affected:
Drupal 6.26 with Book Block 6.x-1.0-beta1 was tested and shown to be vulnerable.
Impact:
Users who have the ability to create books on the website can inject arbitrary script into
book titles. This script will execute whenever a user navigates to /admin/content/book/blocks.
This could lead to privilege escalation, account compromise or other attacks. This exploit
affects
Mitigating Factors:
In order to insert a malicious script into the database, access to a valid user account with
the ability to create Book nodes is required.
Proof of Concept:
1. Install and enable the Book Block module
2. Navigate to /node/add and click "Book page" to create a new book page
3. Enter '<script>alert('XSS Vulnerablity')</script>' into the "title" field, then fill in the "body" field arbitrarily and press "Save"
4. Navigate to /admin/content/book/blocks to view the rendered JavaScript
Patch:
The following patch mitigates this vulnerability:
$ diff -ruN bookblock.admin.inc patchedbookblock.admin.inc
--- bookblock.admin.inc 2010-07-01 08:31:50.000000000 -0400
+++ patchedbookblock.admin.inc 2012-07-06 11:07:49.956360960 -0400
@@ -13,7 +13,7 @@
* @ingroup forms
*/
function bookblock_admin_settings() {
- $books = book_get_books();
+ $books = array_map("check_plain",book_get_books());
if ($books) {
foreach ($books as $book) {
if (!$book['has_children']) {
@@ -31,4 +31,4 @@
$form['array_filter'] = array('#type' => 'value', '#value' => TRUE);
return system_settings_form($form);
}
-}
\ No newline at end of file
+}