Description of Vulnerability:
- - -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Wikitools module (http://drupal.org/project/wikitools) "provides some settings to get a more wiki-like behavior. It aims to be lightweight; all features are optional, and it provides no database tables of its own."

The Wikitools module contains a cross site scripting vulnerability because it does not properly sanitize output of content types before display.

Systems affected:
- - -----------------
Wikitools 6.x-1.2 and 5.x-1.3 were tested and shown to be vulnerable.

Impact:
- - -------
XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.

Mitigating factors:
- - -------------------
The Wikitools module must be installed. To carry out a Site map based XSS exploit the attacker must have 'administer content type' permissions.

Proof of Concept:
- ---------------------
1. Install Drupal
2. Install Wikitools
3. Create a new content type from Administer -> Content management -> Content types -> Add content type
4. Enter "alert('xss');" for the content type name and save the new content type
5. Enable the Wikitools module from Administer -> Site Building -> Modules
6. Click on Administer -> Site configuration -> Wikitools to observe the JavaScript

Technical details:
- ------------------------
The Wikitools module fails to sanitize the output of content type names before display, leading to an arbitrary HTML injection vulnerability.

Patch for wikitools 5.x-1.3
---------------------------
Applying the following patch mitigates these threats in Wikitools 5.x-1.3.

--- wikitools/wikitools.module 2009-03-25 15:15:47.000000000 -0400
+++ wikitools.fixed/wikitools.module 2009-10-09 12:04:03.055556867 -0400
@@ -132,7 +132,7 @@ function wikitools_admin_settings() {
$form['wikitools_node_types'] = array(
'#type' => 'checkboxes',
'#title' => t('Wiki node types'),
- '#options' => node_get_types('names'),
+ '#options' => array_map('filter_xss', node_get_types('names')),
'#size' => count(node_get_types('names')),
'#default_value' => wikitools_node_types(),
'#multiple' => TRUE,

Patch for wikitools 6.x-1.2
---------------------------
Applying the following patch mitigates these threats in Wikitools 6.x-1.2.

--- wikitools/wikitools.admin.inc 2009-06-17 23:57:33.000000000 -0400
+++ wikitools/wikitools.admin.inc 2009-10-09 14:38:06.020099834 -0400
@@ -37,7 +37,7 @@ function wikitools_admin_settings() {
$form['wikitools_node_types'] = array(
'#type' => 'checkboxes',
'#title' => t('Wiki node types'),
- '#options' => node_get_types('names'),
+ '#options' => array_map('filter_xss', node_get_types('names')),
'#default_value' => wikitools_node_types(),
'#multiple' => TRUE,
'#description' => t('Select the node types which will be affected by the specified options. If you select multiple node types, all nodes of these types will be searched for when a wikipath is entered. If a wikipage doesn\'t exist, an option to create any of these types will be given.'),

Vendor Response
---------------

In the past the vendor has responded that vulnerabilities requiring 'administer content types' privileges have already been addressed by SA-CORE-2009-002 (http://drupal.org/node/372836) and thus are not classified as security vulnerabilities, but rather as bugs.

Files: 
CommentFileSizeAuthor
#3 600406-3.patch1012 bytesjpmckinney

Comments

cwgordon7’s picture

Yes, what you say is correct, this is a bug, not a security vulnerability - a user who can change content type names can also administer content types, and thus can delete your entire database and in some cases actually execute PHP code, so an xss attack through wikitools is not a huge concern. Thank you for reporting this, however, this will go into the development branch and the next version.

asb’s picture

Can this issue be closed?

jpmckinney’s picture

Status:Active» Reviewed & tested by the community
StatusFileSize
new1012 bytes

Security team's patch works. RTBC

jpmckinney’s picture

Version:6.x-1.2» 6.x-1.x-dev
jpmckinney’s picture

Status:Reviewed & tested by the community» Fixed

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.