The Drupal Taxonomy Theme version 5.x-1.1 suffers from a cross site scripting vulnerability.
99913ad8eec20527866c93a1d3488cae-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Version Tested:
Taxonomy Theme 5.x-1.1 (http://drupal.org/project/taxonomy_theme)
Drupal 5.15 (http://drupal.org)
Module maintainer and Drupal security team notified
"The taxonomy_theme module allows you to change the theme of a given
node based on the taxonomy term, vocabulary or nodetype of that node.
You can also theme your forums and map themes to Drupal paths or path
aliases directly." The module contains a Cross Site Scripting (XSS)
vulnerability that can allow users with 'administer taxonomy' privileges
to expose users of the Taxonomy Theme module to XSS attacks. Details
are also available at http://www.lampsecurity.org/node/21
Executing the Attack:
1. Enable the Drupal core Taxonomy module
2. Create a new vocabulary by clicking Administer -> Content Management
- -> Categories.
3. Click the 'Add Vocabulary' link
4. For the 'Vocabulary name' enter <script>alert('xss');</script>, fill
in arbitrary values for all other fields
5. Click on Administer -> Site configuration -> Taxonomy Theme, then
click the 'Taxonomy' link to trigger the JavaScript.
Technical Details:
This flaw exists do to a lack of output checking in the
taxonomy_theme_admin_table_builder() function. Specifically, on line
388 of taxonomy_theme_admin.inc, which reads:
$form['table'][$item->$data['key']]['title'] = array('#value' =>
$item->name);
Should use check_plain() or similar sanitation function on the
$item->name value like so:
$form['table'][$item->$data['key']]['title'] = array('#value' =>
check_plain($item->name));
- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQD1AwUBSacCnZEpbGy7DdYAAQJYPQb/YnDXlQPm5RBW/p9nnx0ER/LJQ2KbFUUR
KTY9L+JsCiClV8PmLxjH8kSUsD5ITIMNmiVoA7OtsOGPD2oiaIuxqrjEKiXkThTb
ugkdrxMsu0dxITI837vt2nJfiHThCuk293Dzf6mGbrMJ77DDeybvyKKP/YxZGqNv
XOI87vedSjqJnREFLjGcyFfmczVTY+CkOaDkgKvWxrqoeOlUvbu7zO52UJm1ZSm0
vJ8gz176zl9R5O/Ar28f7ddlksFmWANgqBSmRCRQLoNBdPcNz4bjmuLc7YFVlYDi
yP1P/e/PNYw=
=laaL
-----END PGP SIGNATURE-----
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!