When customizing the dashboard, theme_dashboard_disabled_block($variables) does not properly sanitize the user-supplied block titles before outputting them, allowing users with "View the administrative dashboard ", "administer blocks" and "Use the administration pages and help" to embed scripts in block titles.

Patch runs the output through check_plain for custom titles, similar to how block.module handles these.

CommentFileSizeAuthor
#5 dashboard_xss_block_title_688100_5.patch824 bytesscor
#2 dashboard_xss_block_title.patch938 bytesmr.baileys
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

mr.baileys’s picture

mr.baileys
Primary language Dutch
Location 🇧🇪 (Ghent)
CreditAttribution: mr.baileys commented

Patch didn't make it in OP.

mr.baileys’s picture

mr.baileys
Primary language Dutch
Location 🇧🇪 (Ghent)
CreditAttribution: mr.baileys commented
FileSize
dashboard_xss_block_title.patch938 bytes

Hmrph. For some reason the link above links to the d.o. front page instead of my file. One more attempt to upload the file...

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch commented
Status: Needs review » Reviewed & tested by the community
Issue tags: +Security Advisory follow-up

Looks good, nice find! Marking RTBC and tagging for sec team.

Dries’s picture

Dries CreditAttribution: Dries commented

Don't we need to escape block info too?

scor’s picture

scor CreditAttribution: scor commented
Status: Reviewed & tested by the community » Needs review
FileSize
dashboard_xss_block_title_688100_5.patch824 bytes

right, a custom block with an XSS description and no title also triggers the same XSS.

mr.baileys’s picture

mr.baileys
Primary language Dutch
Location 🇧🇪 (Ghent)
CreditAttribution: mr.baileys commented

Correct. I mistakingly assumed that $block['info'] would always be defined by modules.

scor’s picture

scor CreditAttribution: scor commented

that's an easy one to RTBC, now that the testbot gave a green light. anyone?

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch commented
Status: Needs review » Reviewed & tested by the community

Yep, looks good now, if my previous rtbc doesn't invalidate this one :)

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Reviewed & tested by the community » Fixed

Committed to CVS HEAD. Thanks.

Status: Fixed » Closed (fixed)
Issue tags: -Security Advisory follow-up

Automatically closed -- issue fixed for 2 weeks with no activity.

Issue tags: +Security Advisory follow-up

Restoring issue tags, see #2125755: System messages removed all issue tags during D7 upgrade.