-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Drupal 5.17 Taxonomy (Core) Module Contains XSS Vulnerability
May 7, 2009
Version tested: Drupal 5.17
http://lampsecurity.org/drupal-taxonomy-vulnerability
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and supported by a MySQL database. The power of Drupal
systems is extended by various modules. Most modules are developed by
third parties, but there is a set of "core" modules that are provided as
part of a standard Drupal installation.
Drupal 5.17 Taxonomy module, which is part of the Drupal core and is
enabled by default upon installation, contains a cross site scripting
vulnerability that allows users with the 'administer taxonomy'
permission to inject arbitrary HTML in the help text of any Category
vocabulary. This arbitrary HTML will be displayed when any user
attempts to create new content associated with the taxonomy.
Proof of concept:
1. Log in to Drupal 5.17 as a user with administer taxonomy permissions
2. Create a new content category using Administer -> Categories -> Add
Vocabulary
3. Enter arbitrary <script>alert('xss');</script> in the 'Help text:'
field, check the 'Page' and 'Story' checkboxes under 'Types' and fill
out arbitrary values for other fields.
4. Click 'Submit'
5. Create new content by clicking the 'Create content' link and then
click either 'Page' or 'Story'
6. A JavaScript alert will appear
This vulnerability is especially dangerous as it targets content
creators, who are likely to have elevated privileges in Drupal. Extreme
care should be given to those users granted the 'administer taxonomy'
privilege until a fix is available.
- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQD1AwUBSgSXXpEpbGy7DdYAAQIUJQcAl+IR5MY2TPKuYv/nS7N243vh/HXgB7LT
joJzUQaCeTTDvwPwYe3WLY3sC7eQF9TtXik2kRN6h+QcdEcNdy0akcYIMOpNOM2y
X5lHRuHoVJFzp3nAohKXFrxpeNmE2cuNn/VRtVtFfUB33bEjSDEpSMa4OiO5Wq1O
mNY3tWFrEPUDb4b5ouNTyhARcBfmU3c2rqzgdf5rPrioqmlPnA6eXGQ/hr2kKZ7i
e7KDrua9EHm4U7ycpK9PAl/JRgh49U1Nl/MzXv5pT/iJ6SbR8tvc9/hOErc5sSur
m0qhSFm7mQ4=
=AHcD
-----END PGP SIGNATURE-----