Drupal Custom Publishing Options XSS Vulnerability
Reported Jan 3, 2012
Description of Vulnerability:
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Custom Publishing Options module (https://drupal.org/project/custom_pub) contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize format names before display.
Drupal 6.22 with Custom Publishing Options 6.x-1.4 was tested and shown to be vulnerable
User could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise.
In order to execute arbitrary script injection malicious users must have 'Administer nodes' permission.
Proof of Concept Exploit:
- Install and enable the Custom Publishing Options module
- Add a new label at ?q=admin/content/custom_pub inserting arbitrary HTML in the 'Publishing label' field.
- Save the label to view the rendered script or view it on the create content page for the appropriate content type.
After the vulnerability was publicly disclosed at this site on 30 May, 2012 (http://www.madirish.net/538) and the vendor was notified of the disclosure, work commenced that resulted in SA-CONTRIB-2012-127 on 15 August 2012 recommending upgrading to versions 6.x-1.4 or later.