Drupal Activity 6.x XSS Proof Of Concept

2012.03.30

Credit: Justin Klein Keane

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Exploit for bespoke:

* Install and enable the Activity and Flag modules
* Add a new Flag with an arbitrary name at ?q=admin/build/flags/add
* On the resulting page (?q=admin/build/flags/add/node/[name]) enter
"<script>alert('xss');</script>" for the flag Title
* View the rendered Javascript at /?q=admin/settings/activity/flagactivity

* As above
* Alter the "Comment: Insert:" field in the "Message visible to the
"All" role" fieldgroup at ?q=admin/settings/activity/commentactivity
to insert the text "<script>alert('xss');</script>"
* Move the "Activity (All): show all recent activity" block to a
visible content region at ?q=admin/build/block
* Create a story at ?q=node/add/story
* Log out
* As anonymous user add a comment at ?q=comment/reply/X#comment-form
where X is the nid of the story from step #4
* Submit the comment to view the rendered JavaScript alert in the
Activity block or log back in to see the JavaScript at ?q=activity

Patch:

The following patch mitigates the above vulnerabilities.

- --- activity/activity.module	2009-04-26 21:45:25.000000000 -0400
+++ activity.fixed/activity.module	2012-01-26 06:34:56.014821191 -0500
@@ -311,7 +311,7 @@ function activity_module_settings(&$form
         '#type' => 'checkboxes',
         '#title' => t('Token types'),
         '#description' => t('Select the token types that you wish to
record activity from.'),
- -        '#options' => $info['types'],
+        '#options' => array_map("filter_xss", $info['types']),
         '#default_value' => variable_get($module .'_token_types',
array_keys($info['types'])),
         '#attributes' => array('class' => 'activity-token-types'),
       );
@@ -350,7 +350,7 @@ function activity_module_settings(&$form
                 if (count($types) > 1) {
                   $form[$module][$role_name][$type_name] = array(
                     '#type' => 'fieldset',
- -                    '#title' => t($type),
+                    '#title' => filter_xss(t($type)),
                     '#collapsible' => TRUE,
                     '#collapsed' => TRUE,
                   );
@@ -1034,7 +1034,7 @@ function activity_token_replace($activit
     activity_invoke_activityapi($activity, 'render');
     $message = token_replace($pattern, $module, $data);
     $message = token_replace($message, 'activity', $data);
- -    return $message;
+    return filter_xss($message);
   }
 }


Justin Klein Keane
http://www.MadIrish.net

References:

http://packetstormsecurity.org/files/111324/DRUPAL-SA-CONTRIB-2012-051-poc.txt

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Drupal Activity 6.x XSS Proof Of Concept

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.