The text of this advisory is also available at http://www.madirish.net/?article=452
Description of Vulnerability (or display bug, depending on your perspective):
---------------------------------------------------------------------------------------------------
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides custom look and feel functionality with themes. The popular Zen theme contains a cross site scripting vulnerability due to the fact that it fails to properly sanitize breadcrumb separators upon display allowing arbitrary script injection.
Systems affected:
----------------
Zen 6.x-1.1 was tested and shown to be vulnerable
Mitigating factors:
-------------------
Attacker must have 'administer site configuration' permissions or write access to the database in order to exploit this vulnerability. Additionally the breadcrumb configuration form limits the length to 10 characters.
Proof of concept:
-----------------
1. Install Drupal 6.16 and the Zen theme.
2. Enable the Zen theme from Administer -> Site building -> Modules
3. Go to Administer -> Site building -> Themes
4. Click on the 'configure' link
5. Enter script in the 'Breadcrumb separator' text area
6. Click the 'Save configuration' button
Patch
-----
Applying the following patch mitigates this threat.
--- zen_fixed/zen/template.php 2010-03-26 10:09:43.718371984 -0400
+++ zen/zen/template.php 2010-03-26 10:09:54.864395793 -0400
@@ -60,7 +60,7 @@ function zen_breadcrumb($breadcrumb) {
// Return the breadcrumb with separators.
if (!empty($breadcrumb)) {
- $breadcrumb_separator = check_plain(theme_get_setting('zen_breadcrumb_separator'));
+ $breadcrumb_separator = theme_get_setting('zen_breadcrumb_separator');
$trailing_separator = $title = '';
if (theme_get_setting('zen_breadcrumb_title')) {
if ($title = drupal_get_title()) {
Comments
Comment #1
Justin_KleinKeane CreditAttribution: Justin_KleinKeane commentedWhoops, the diff is actually backwards in the patch, reverse the '+' and '-' for an effective patch.
Comment #2
JohnAlbinFrom http://drupal.org/node/475848:
Doing a check_plain on that value means site admins can't put html in that field, like character entity references. For example, “→” would be displayed instead of “→”
Additionally, I asked around in IRC and was told “Fixing security holes like that is akin to putting dead bolts on your bathroom door.” Attackers are already in the house.
So I don't see a reason to fix this.
Comment #3
Justin_KleinKeane CreditAttribution: Justin_KleinKeane commentedHello,
you may want to consider a finer grain filter than check_plain() but some filter would definitely be helpful. If an admin uses a "<" or some other XHTML delimiter it can destroy layout and effectively lock the admin out of the site. This is a concern when non-technical admins are manipulating the site and unable to rectify the mayhem that's created when they botch the layout with a bad breadcrumb separator. A quick DB update fixes the issue but many users aren't capable of that level of manipulation. Even if you don't consider this a security problem (I know the Drupal security team doesn't which is why I didn't report to them) it is definitely a display bug - I found it after a user borked a layout and I had to fix it for them. Thanks!
-Justin
Comment #4
JohnAlbinAdded filter_xss_admin().
Pushed to all branches
http://drupalcode.org/project/zen.git/commit/d46c57f
http://drupalcode.org/project/zen.git/commit/24dd4b3
http://drupalcode.org/project/zen.git/commit/23747b5
http://drupalcode.org/project/zen.git/commit/52a9b40
http://drupalcode.org/project/zen.git/commit/d4f644c
Comment #6
clancyhood CreditAttribution: clancyhood commentedI agree. It has the added effect of discouraging Drupal site admins from taking security updates seriously.
The mitigating factors in this report are so limiting in fact that the bathroom door analogy doesn't quite do it justice. It's more like trying to prevent house burglars from using your teaset by padlocking your biscuit tin.
For those who rely mostly on the red message box on admin screens in order to be notified in time of the next available security updates for a given site, they're going to have to apply this one and get it out of the way. Some admins will read this report, not bother applying it and consequently apply other more critical fixes late.