XSS Vulnerability in Drupal's Node Blocks contributed module (6.x-1.3 and 5.x-1.1) Discovered by Martin Barbella <martybarbella (at) gmail (dot) com [email concealed]> Description of Vulnerability: ----------------------------- Drupal is a free software package that allows an individual or a community of users to easily publish, manage and organize a wide variety of content on a website. (From: http://drupal.org/about) The Node Blocks module allows users to specify content type(s) as being a block. This allows the content managers of the site to edit the block text and title without having to access the block administration page. (From: http://drupal.org/project/nodeblock) The block title is not properly sanitized when a user displays a block created from a node, resulting in a cross site scripting vulnerability. Systems affected: ----------------- This has been confirmed in Node Blocks 6.x-1.3 and 5.x-1.1. Previous versions may also be affected. Impact: ------- This is an example of a stored cross site scripting vulnerability. Stored attacks are those where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. (From OWASP: http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29) Mitigating factors: ------------------- A user must be able to create nodes of a type used by Node Blocks, and this node must be added as a block by a user with the administer blocks permission. Proof of concept: ----------------- 1. Install the Node Blocks module 2. Create a content type with available as block enabled 3. As a user with permission to create nodes of this type, create a node with the title "<script>alert('XSS')</script>" 4. As a user that can administer blocks, add this block to a region 5. Note that an alert box will be displayed when the block is generated on a page Solution: --------- Install version 6.x-1.4 or 5.x-1.2 of the Node Blocks module. Timeline: --------- 2009-12-29 - Drupal Security notified. 2010-01-13 - Security announcement released on drupal.org (http://drupal.org/node/683598) Credit: ------- This vulnerability was reported by Martin Barbella to Khalid Baheyeldin at Drupal Security, and fixed by Thomas Turnbull.