Some of the output generated by the profile module is not properly sanitized, resulting in an XSS vulnerability.

Steps to reproduce
==============
1) On a fresh site, enable the core optional "Profile" module.
2) Create a role (Administer > User management > Roles) called "admin helper".
3) Edit the permissions for "admin helper" so that they include "administer users" and "access administration pages".
4) Create a new user and add this user to the "admin helper" role.
5) Log in as the new user, and go to Administer > User management > Profiles
6) Add a "single-line text-field". Use the following values:
a) category: <script>alert('xss-category');</script>
b) title: Title
c) Form name: profile_script
d) explanation: <script>alert('xss-explanation');</script>
Leave the rest of the values and save the screen.

7) When visiting admin/user/profile the "category" script will be executed.
8) When visiting user/3/edit/ the "explanation" script will be executed.

NOTE: Given the fact that this vulnerability requires "Administer Users" permissions and after consulting the security team, it was decided that this bug could be posted to the public issue queue (also see Security announcements and process policy).

CommentFileSizeAuthor
#16 611532-xss-profile_16.patch1.51 KBctmattice1
#5 611532-xss-profile_5.patch1.54 KBscor
#1 611532-xss-profile.patch2.11 KBmr.baileys
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

mr.baileys’s picture

mr.baileys
Primary language Dutch
Location 🇧🇪 (Ghent)
CreditAttribution: mr.baileys commented
Status: Active » Needs review
FileSize
611532-xss-profile.patch2.11 KB

Patch attached.

mr.baileys’s picture

mr.baileys
Primary language Dutch
Location 🇧🇪 (Ghent)
CreditAttribution: mr.baileys commented

bump...

mr.baileys’s picture

mr.baileys
Primary language Dutch
Location 🇧🇪 (Ghent)
CreditAttribution: mr.baileys commented
Issue tags: +Security improvements

Tagging...

mr.baileys’s picture

mr.baileys
Primary language Dutch
Location 🇧🇪 (Ghent)
CreditAttribution: mr.baileys commented
Issue tags: +Security Advisory follow-up

Additional tag.

scor’s picture

scor CreditAttribution: scor commented
FileSize
611532-xss-profile_5.patch1.54 KB

rerolling patch

scor’s picture

scor CreditAttribution: scor commented
Version: 6.x-dev » 7.x-dev

moving to 7.x for testing

coltrane’s picture

coltrane
he/him
CreditAttribution: coltrane commented

subscribing

mitchmac’s picture

mitchmac CreditAttribution: mitchmac commented

Patch in #5 applied and worked as expected.

meba’s picture

meba CreditAttribution: meba commented
Priority: Normal » Critical

This is obviously critical.

CitizenKane’s picture

CitizenKane CreditAttribution: CitizenKane commented
Status: Needs review » Reviewed & tested by the community

I can verify the issue as well and I can also verify that the patch in #5 fixes the issue.

ChrisMiller627’s picture

ChrisMiller627 CreditAttribution: ChrisMiller627 commented

I can also verify this issue, and the patch in #5 works as expected.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented
Status: Reviewed & tested by the community » Fixed

Great work, folks! Committed to HEAD.

mr.baileys’s picture

mr.baileys
Primary language Dutch
Location 🇧🇪 (Ghent)
CreditAttribution: mr.baileys commented
Version: 7.x-dev » 6.x-dev
Priority: Critical » Normal
Status: Fixed » Needs review

Needs a backport to 6.x-dev...

LiuShaz’s picture

LiuShaz CreditAttribution: LiuShaz commented

My users profile structure:
- Personal information
-- Firstname (textfield)
-- Lastname (textfield)
-- Phone (textfield)
-- Address (textarea)

I typed to input "Firstname" value & saved form:
Johnson" /><script>alert('xss vurn?');</script><input type="hidden" name="test

In user profile page shows alert...
I fixed that direct in function "profile_save_profile":
db_query("INSERT INTO {profile_values} (fid, uid, value) VALUES (%d, %d, '%s')", $field->fid, $user->uid, filter_xss($edit[$field->name]));

ctmattice1’s picture

ctmattice1 CreditAttribution: ctmattice1 commented
FileSize
611532-xss-profile_16.patch1.51 KB

backported patch for 6.x

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles commented
Status: Needs review » Reviewed & tested by the community

@LiuShaz - I cannot repeat your problem on a stock Drupal 6.x site. I suggest trying a different theme (or a stock Drupal 6 site). If you can still repeat the bug then it should be reported to the security team

#16 seems RTBC to me.

Xano’s picture

Xano
he/they
Primary language English
Location Southampton
CreditAttribution: Xano commented
Status: Reviewed & tested by the community » Closed (won't fix)

See #301071: Remove profile module from core.

Xano’s picture

Xano
he/they
Primary language English
Location Southampton
CreditAttribution: Xano commented
Status: Closed (won't fix) » Reviewed & tested by the community

Aaaaaand this issue is not for 8.x. Good morning, Xano!

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 16: 611532-xss-profile_16.patch, failed testing.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles commented
Issue summary: View changes
Status: Needs work » Reviewed & tested by the community

d6 testbot--

NancyDru’s picture

NancyDru
she/her/hers
Primary language English
Location Boston
CreditAttribution: NancyDru commented

I did see this on a stock 6.34 site. The Security Team will not accept it as the problem requires a restricted permission to trigger it.

Status: Reviewed & tested by the community » Closed (outdated)

Automatically closed because Drupal 6 is no longer supported. If the issue verifiably applies to later versions, please reopen with details and update the version.