what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Drupal Taxonomy Theme Cross Site Scripting

Drupal Taxonomy Theme Cross Site Scripting
Posted Feb 26, 2009
Authored by Justin C. Klein Keane

The Drupal Taxonomy Theme version 5.x-1.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 910abd62192a62f24e88bd8e0a24cfaaf8cb8214622ef3b378fdbaa2fffeb0a0

Drupal Taxonomy Theme Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Version Tested:
Taxonomy Theme 5.x-1.1 (http://drupal.org/project/taxonomy_theme)
Drupal 5.15 (http://drupal.org)

Module maintainer and Drupal security team notified

"The taxonomy_theme module allows you to change the theme of a given
node based on the taxonomy term, vocabulary or nodetype of that node.
You can also theme your forums and map themes to Drupal paths or path
aliases directly." The module contains a Cross Site Scripting (XSS)
vulnerability that can allow users with 'administer taxonomy' privileges
to expose users of the Taxonomy Theme module to XSS attacks. Details
are also available at http://www.lampsecurity.org/node/21

Executing the Attack:

1. Enable the Drupal core Taxonomy module
2. Create a new vocabulary by clicking Administer -> Content Management
- -> Categories.
3. Click the 'Add Vocabulary' link
4. For the 'Vocabulary name' enter <script>alert('xss');</script>, fill
in arbitrary values for all other fields
5. Click on Administer -> Site configuration -> Taxonomy Theme, then
click the 'Taxonomy' link to trigger the JavaScript.

Technical Details:

This flaw exists do to a lack of output checking in the
taxonomy_theme_admin_table_builder() function. Specifically, on line
388 of taxonomy_theme_admin.inc, which reads:

$form['table'][$item->$data['key']]['title'] = array('#value' =>
$item->name);

Should use check_plain() or similar sanitation function on the
$item->name value like so:

$form['table'][$item->$data['key']]['title'] = array('#value' =>
check_plain($item->name));

- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBSacCnZEpbGy7DdYAAQJYPQb/YnDXlQPm5RBW/p9nnx0ER/LJQ2KbFUUR
KTY9L+JsCiClV8PmLxjH8kSUsD5ITIMNmiVoA7OtsOGPD2oiaIuxqrjEKiXkThTb
ugkdrxMsu0dxITI837vt2nJfiHThCuk293Dzf6mGbrMJ77DDeybvyKKP/YxZGqNv
XOI87vedSjqJnREFLjGcyFfmczVTY+CkOaDkgKvWxrqoeOlUvbu7zO52UJm1ZSm0
vJ8gz176zl9R5O/Ar28f7ddlksFmWANgqBSmRCRQLoNBdPcNz4bjmuLc7YFVlYDi
yP1P/e/PNYw=
=laaL
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

March 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    13 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    31 Files
  • 8
    Mar 8th
    16 Files
  • 9
    Mar 9th
    13 Files
  • 10
    Mar 10th
    9 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    10 Files
  • 14
    Mar 14th
    6 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    22 Files
  • 17
    Mar 17th
    13 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    16 Files
  • 21
    Mar 21st
    13 Files
  • 22
    Mar 22nd
    5 Files
  • 23
    Mar 23rd
    6 Files
  • 24
    Mar 24th
    47 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    50 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    7 Files
  • 30
    Mar 30th
    31 Files
  • 31
    Mar 31st
    15 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close