On August 10, 2014 at 11:25pm, Matt V. reported the following along w/ the attached patch...
I ran the Coder Review module against version 7.x-1.7 of the "Redirect 403 to User Login" module and it flagged the following:
sites/all/modules/contrib/r4032login/r4032login.module: +116: [critical] Potential problem: drupal_set_message http://api.drupal.org/api/function/drupal_set_message/() only accepts filtered text, be sure to use check_plain http://api.drupal.org/api/function/check_plain/(), filter_xss http://api.drupal.org/api/function/filter_xss/() or similar to ensure your $variable is fully sanitized.
I can confirm the XSS vulnerability in both the Drupal 6 and 7 versions. In Drupal 7, I went to the Site Information Page and added
<script>alert(document.cookie);</script>
to the end of the "User login 'access denied' message" field. When I then open a separate incognito window (not logged into the site) and try to visit /admin, my cookie for the site appears in a popup.In the Drupal 6 version, the effect is the same, though the administration page is titled "Redirect 403 to User Login" and the field is "Display access denied message on login page".
I'm attaching a patch that fixes the issue for me.
Comment | File | Size | Author |
---|---|---|---|
#1 | r4032login-xss_issue.patch_1.txt | 702 bytes | bdone |
r4032login-xss_issue.patch | 697 bytes | bdone | |
Comments
Comment #1
bdone CreditAttribution: bdone commentedGreggles supplied a second patch and added...
Comment #2
bdone CreditAttribution: bdone commentedfixed in the following commits :
6.x: http://cgit.drupalcode.org/r4032login/commit/?id=4b5d4d0
7.x: http://cgit.drupalcode.org/r4032login/commit/?id=b80e5f0
8.x: http://cgit.drupalcode.org/r4032login/commit/?id=b209c9c