Background information
This was originally reported as a private security issue, but has been approved for handling in the public queue by the Drupal Security Team.
- security.drupal.org private issue: https://git.drupalcode.org/security/185108-drupal-security/-/work_items/1
(included for reference. Please do not report access denied as an error.)
Problem/Motivation
If Drupal is in English, the window.drupalTranslations object is not created so it is vulnerable to DOM clobbering.
DOM clobbering a nested object with so many levels requires using iframes.
If an attacker can insert iframes (for example with the ckeditor_iframe module), they could insert this payload:
<iframe name="drupalTranslations" src="/url/of/current/page"></iframe>
<iframe name="strings" src="/url/of/current/page"></iframe>
<a id="foo"></a><a id="foo" name="bar" href="clobbered"></a>
Now drupalTranslations.strings.foo.bar points to the link.
So Drupal.t('bar', [], {context: 'foo'}).toString() now returns http://localhost/drupal/clobbered.
(This only works in Chrome but not in Firefox for some reason.)
This could be used to inject dangerous markup in the page. But it can only target translated strings that have a context.
Steps to reproduce
For example if you have a module that does this:
$element.append(
`<abbr title="${Drupal.t('Changed', [], { context: 'mymodule' })}">*</abbr>`,
);
It is usually safe because the output of Drupal.t() can be trusted.
If an attacker can insert this HTML:
<iframe name="drupalTranslations" src="/drupal/web/"></iframe>
<iframe name="strings" src="/drupal/web/"></iframe>
<a id="mymodule"></a><a id="mymodule" name="Changed" href="http://"><img src=x onerror=alert()>"></a>
Now Drupal.t() returns an XSS payload and the dangerous JS is executed.
Proposed resolution
I think the solution would be to always create window.drupalTranslations.
Remaining tasks
User interface changes
Introduced terminology
API changes
Data model changes
Release notes snippet
Issue fork drupal-3607796
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments