Some of the output generated by the profile module is not properly sanitized, resulting in an XSS vulnerability.
Steps to reproduce
==============
1) On a fresh site, enable the core optional "Profile" module.
2) Create a role (Administer > User management > Roles) called "admin helper".
3) Edit the permissions for "admin helper" so that they include "administer users" and "access administration pages".
4) Create a new user and add this user to the "admin helper" role.
5) Log in as the new user, and go to Administer > User management > Profiles
6) Add a "single-line text-field". Use the following values:
a) category: <script>alert('xss-category');</script>
b) title: Title
c) Form name: profile_script
d) explanation: <script>alert('xss-explanation');</script>
Leave the rest of the values and save the screen.
7) When visiting admin/user/profile the "category" script will be executed.
8) When visiting user/3/edit/ the "explanation" script will be executed.
NOTE: Given the fact that this vulnerability requires "Administer Users" permissions and after consulting the security team, it was decided that this bug could be posted to the public issue queue (also see Security announcements and process policy).
Comment | File | Size | Author |
---|---|---|---|
#16 | 611532-xss-profile_16.patch | 1.51 KB | ctmattice1 |
#5 | 611532-xss-profile_5.patch | 1.54 KB | scor |
#1 | 611532-xss-profile.patch | 2.11 KB | mr.baileys |
Comments
Comment #1
mr.baileysPatch attached.
Comment #2
mr.baileysbump...
Comment #3
mr.baileysTagging...
Comment #4
mr.baileysAdditional tag.
Comment #5
scor CreditAttribution: scor commentedrerolling patch
Comment #6
scor CreditAttribution: scor commentedmoving to 7.x for testing
Comment #7
coltranesubscribing
Comment #8
mitchmac CreditAttribution: mitchmac commentedPatch in #5 applied and worked as expected.
Comment #9
meba CreditAttribution: meba commentedThis is obviously critical.
Comment #10
CitizenKane CreditAttribution: CitizenKane commentedI can verify the issue as well and I can also verify that the patch in #5 fixes the issue.
Comment #11
ChrisMiller627 CreditAttribution: ChrisMiller627 commentedI can also verify this issue, and the patch in #5 works as expected.
Comment #12
webchickGreat work, folks! Committed to HEAD.
Comment #13
mr.baileysNeeds a backport to 6.x-dev...
Comment #15
LiuShaz CreditAttribution: LiuShaz commentedMy users profile structure:
- Personal information
-- Firstname (textfield)
-- Lastname (textfield)
-- Phone (textfield)
-- Address (textarea)
I typed to input "Firstname" value & saved form:
Johnson" /><script>alert('xss vurn?');</script><input type="hidden" name="test
In user profile page shows alert...
I fixed that direct in function "profile_save_profile":
db_query("INSERT INTO {profile_values} (fid, uid, value) VALUES (%d, %d, '%s')", $field->fid, $user->uid, filter_xss($edit[$field->name]));
Comment #16
ctmattice1 CreditAttribution: ctmattice1 commentedbackported patch for 6.x
Comment #17
greggles@LiuShaz - I cannot repeat your problem on a stock Drupal 6.x site. I suggest trying a different theme (or a stock Drupal 6 site). If you can still repeat the bug then it should be reported to the security team
#16 seems RTBC to me.
Comment #18
XanoSee #301071: Remove profile module from core.
Comment #19
XanoAaaaaand this issue is not for 8.x. Good morning, Xano!
Comment #21
gregglesd6 testbot--
Comment #22
NancyDruI did see this on a stock 6.34 site. The Security Team will not accept it as the problem requires a restricted permission to trigger it.