Hi module's maintainers,
in the module there is a part where the output is not sanitized, allows cross site scripting to be executed.
As the module seems actively used by over 50k sites but has no coverage by Drupal Security Team, i open this issue here as a public one in order to let users of it know about the issue and act on their own safe before the new version of it gets released.
Here are the steps how it can be reproduced:
- Enable the module.
- Create a new format filter and set its name to this:
- Then add a long text (or use an already existing one) to a content type. When this page is loaded: admin/structure/types/manage/article/fields/body (where article is the bundle, body is the used field) you get the result of XSS exploit.
I'm attaching the patch that fixes this issue.
As for the exploit the following permissions are needed administer fields, administer filters if your site doesn't allow these to untrusted users the vulnerability's risk is much lower.
Thank you in advance,
Balazs.
Comment | File | Size | Author |
---|---|---|---|
#6 | better_formats-2896131-6-missing-check_plain-when-showing-filter-name.patch | 705 bytes | Alan D. |
Comments
Comment #2
Alan D. CreditAttribution: Alan D. commentedThis is not a notifiable security issue as the permission "administer filters" is required. You should never ever add administer fields, administer filters to untrusted users on any site!!!
https://www.drupal.org/drupal-security-team/security-advisory-process-an...
i.e. if you have this permission, you can simple remove all text formatting on a filter format (aka free html) and just add/edit ANY field in content (i.e. new post body field) that uses that format to implement a XSS attack.
Or if you had PHP filter enabled, you could simply enable that on any format, allowing anyone to to create posts with PHP code, etc
So yes, this should be fixed, but security issue no :)
You should use check_plain() here to show the exact characters typed. i.e. convert > to $amp;gt; so that it is outputted as >
Comment #3
geek-merlinYah, this does not need an official security advisorsy, but nevertheless constitues a major repercussion so setting major.
I agree, this patch should be rerolled using check_plain.
Comment #4
geek-merlinComment #5
Alan D. CreditAttribution: Alan D. commentedNar, totally not major, I actually say minor. ;)
Comment #6
Alan D. CreditAttribution: Alan D. commentedAnd a re-roll :)
Just to enforce the point about check_plain(), it's how Drupal handles it everywhere, doing anything else would be inconsistent with core
Comment #7
tatarbjI've tested and it works as expected :) Thanks guys for the work!
Bests,
Balazs.
Comment #8
Delphine Lepers CreditAttribution: Delphine Lepers at Trasys for European Commission and European Union Institutions, Agencies and Bodies commentedHi all,
Any chance to get a new release with this included?
Cheers
Comment #9
tatarbjI think it depends on the module maintainers - until that time you can use the patch attached here.
Comment #10
tatarbjComment #11
joseph.olstadComment #14
joseph.olstadComment #18
joseph.olstadReleased this:
https://www.drupal.org/project/better_formats/releases/7.x-1.0-beta3
And for those using PHP 8.0, PHP 8.1, PHP 8.2, use the latest 2.0 release (currently 7.x-2.0-beta1)
https://www.drupal.org/project/better_formats/releases/7.x-2.0-beta1