Drupal versions 5, 6, and 7 suffer from a cross site scripting vulnerability.
0a41801d96ef56fb221a470344be2e6815c1304687e4a5802e95ca5896451f33
Hi,
There is a persistent XSS in Drupal versions 5.x, 6.x and 7.x ( I have not
yet tested Drupal 8.x due to not being fully released ).
The function which is vulnerable is the watchdog() function, where the
$message parameter does not get sanitized and you can pass through
arbitrary code to be executed on the clients browser.
This can be exploited if a module/theme/hook call directly calls the
watchdog function. You could pass in a simple:
<script>alert(document.domain);</script> or whatever payload you wish.
For example, you could hijack the admin's browser using something like BeEF
framework or similar tools.
A simple way to fix this bug would be to wrap the $message htmlentities().
Thanks.
Richard Clifford.