Patch to prevent XSS in Title and Body field labels [#479074]

The XSS vulnerability is described in full here:
http://lampsecurity.org/drupal-cck-xss-vulnerability

A user with 'administer content types' permissions may insert javascript into the Title and Body field labels, and these scripts will fire on the 'manage fields' admin page.

The patch attached below merely runs the output of those field labels through check_plain().

This patch is not against the latest development snapshot. It is intended specifically for CCK 6.x-2.2.

Comment	File	Size	Author
	xss-label-fix.patch	724 bytes	rickward

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

drewish CreditAttribution: drewish commented 1 June 2009 at 23:46

i think was found to be non-issue. if you give someone administrator access it shouldn't come as a surprise that you they can cause problems. See SA-2008-069 - CCK for 5.x and 6.x - XSS vulnerabilities

Comment #2

rickward CreditAttribution: rickward commented 2 June 2009 at 14:22

Yes, but our organization decided that it was best to minimize any potential vectors for attack, so we have implemented this (very simple) patch. That is why it is designed to be applied against the latest stable release rather than the latest development snapshot.

We have cases where certain users have a need for the content modeling tools provided by CCK, but they have no need for user management. These are trusted users, but they do not typically possess a systems administration background.

Comment #3

rickward CreditAttribution: rickward commented 2 June 2009 at 14:30

also (not to belabor the point): this issue is most certainly a bug, and, as such, should be addressed.

Comment #4

yched CreditAttribution: yched commented 2 June 2009 at 14:53

Status:

Active

» Fixed

As drewish wrote, this is not considered a security hole - which good folks at lampsecurity.com probably acknowledge too, since they so kindly disclosed it... *shrug*

No reason not to fix this, however. Committed.