This file documents a proof of concept to demonstrate the cross site scripting vulnerability in the Drupal Activity module version 6.x.
21cff53d4151dcb6cd0a86095cfb274645d44512ecad08ffa9a0c5beb8eac1e5-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Exploit for bespoke:
* Install and enable the Activity and Flag modules
* Add a new Flag with an arbitrary name at ?q=admin/build/flags/add
* On the resulting page (?q=admin/build/flags/add/node/[name]) enter
"<script>alert('xss');</script>" for the flag Title
* View the rendered Javascript at /?q=admin/settings/activity/flagactivity
* As above
* Alter the "Comment: Insert:" field in the "Message visible to the
"All" role" fieldgroup at ?q=admin/settings/activity/commentactivity
to insert the text "<script>alert('xss');</script>"
* Move the "Activity (All): show all recent activity" block to a
visible content region at ?q=admin/build/block
* Create a story at ?q=node/add/story
* Log out
* As anonymous user add a comment at ?q=comment/reply/X#comment-form
where X is the nid of the story from step #4
* Submit the comment to view the rendered JavaScript alert in the
Activity block or log back in to see the JavaScript at ?q=activity
Patch:
The following patch mitigates the above vulnerabilities.
- --- activity/activity.module 2009-04-26 21:45:25.000000000 -0400
+++ activity.fixed/activity.module 2012-01-26 06:34:56.014821191 -0500
@@ -311,7 +311,7 @@ function activity_module_settings(&$form
'#type' => 'checkboxes',
'#title' => t('Token types'),
'#description' => t('Select the token types that you wish to
record activity from.'),
- - '#options' => $info['types'],
+ '#options' => array_map("filter_xss", $info['types']),
'#default_value' => variable_get($module .'_token_types',
array_keys($info['types'])),
'#attributes' => array('class' => 'activity-token-types'),
);
@@ -350,7 +350,7 @@ function activity_module_settings(&$form
if (count($types) > 1) {
$form[$module][$role_name][$type_name] = array(
'#type' => 'fieldset',
- - '#title' => t($type),
+ '#title' => filter_xss(t($type)),
'#collapsible' => TRUE,
'#collapsed' => TRUE,
);
@@ -1034,7 +1034,7 @@ function activity_token_replace($activit
activity_invoke_activityapi($activity, 'render');
$message = token_replace($pattern, $module, $data);
$message = token_replace($message, 'activity', $data);
- - return $message;
+ return filter_xss($message);
}
}
Justin Klein Keane
http://www.MadIrish.net
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed