Breadcrumb separator XSS vulnerability

The text of this advisory is also available at http://www.madirish.net/?article=452

Description of Vulnerability (or display bug, depending on your perspective):
---------------------------------------------------------------------------------------------------
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides custom look and feel functionality with themes. The popular Zen theme contains a cross site scripting vulnerability due to the fact that it fails to properly sanitize breadcrumb separators upon display allowing arbitrary script injection.

Systems affected:
----------------
Zen 6.x-1.1 was tested and shown to be vulnerable

Mitigating factors:
-------------------
Attacker must have 'administer site configuration' permissions or write access to the database in order to exploit this vulnerability. Additionally the breadcrumb configuration form limits the length to 10 characters.

Proof of concept:
-----------------
1. Install Drupal 6.16 and the Zen theme.
2. Enable the Zen theme from Administer -> Site building -> Modules
3. Go to Administer -> Site building -> Themes
4. Click on the 'configure' link
5. Enter script in the 'Breadcrumb separator' text area
6. Click the 'Save configuration' button

Patch
-----
Applying the following patch mitigates this threat.

--- zen_fixed/zen/template.php 2010-03-26 10:09:43.718371984 -0400
+++ zen/zen/template.php 2010-03-26 10:09:54.864395793 -0400
@@ -60,7 +60,7 @@ function zen_breadcrumb($breadcrumb) {

// Return the breadcrumb with separators.
if (!empty($breadcrumb)) {
- $breadcrumb_separator = check_plain(theme_get_setting('zen_breadcrumb_separator'));
+ $breadcrumb_separator = theme_get_setting('zen_breadcrumb_separator');
$trailing_separator = $title = '';
if (theme_get_setting('zen_breadcrumb_title')) {
if ($title = drupal_get_title()) {