-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Version Tested:
Taxonomy Theme 5.x-1.1 (http://drupal.org/project/taxonomy_theme)
Drupal 5.15 (http://drupal.org)

Module maintainer and Drupal security team notified

"The taxonomy_theme module allows you to change the theme of a given
node based on the taxonomy term, vocabulary or nodetype of that node.
You can also theme your forums and map themes to Drupal paths or path
aliases directly."  The module contains a Cross Site Scripting (XSS)
vulnerability that can allow users with 'administer taxonomy' privileges
to expose users of the Taxonomy Theme module to XSS attacks.  Details
are also available at http://www.lampsecurity.org/node/21

Executing the Attack:

1.  Enable the Drupal core Taxonomy module
2.  Create a new vocabulary by clicking Administer -> Content Management
- -> Categories.
3.  Click the 'Add Vocabulary' link
4.  For the 'Vocabulary name' enter <script>alert('xss');</script>, fill
in arbitrary values for all other fields
5.  Click on Administer -> Site configuration -> Taxonomy Theme, then
click the 'Taxonomy' link to trigger the JavaScript.

Technical Details:

This flaw exists do to a lack of output checking in the
taxonomy_theme_admin_table_builder() function.  Specifically, on line
388 of taxonomy_theme_admin.inc, which reads:

$form['table'][$item->$data['key']]['title'] = array('#value' =>
$item->name);

Should use check_plain() or similar sanitation function on the
$item->name value like so:

$form['table'][$item->$data['key']]['title'] = array('#value' =>
check_plain($item->name));

- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBSacCnZEpbGy7DdYAAQJYPQb/YnDXlQPm5RBW/p9nnx0ER/LJQ2KbFUUR
KTY9L+JsCiClV8PmLxjH8kSUsD5ITIMNmiVoA7OtsOGPD2oiaIuxqrjEKiXkThTb
ugkdrxMsu0dxITI837vt2nJfiHThCuk293Dzf6mGbrMJ77DDeybvyKKP/YxZGqNv
XOI87vedSjqJnREFLjGcyFfmczVTY+CkOaDkgKvWxrqoeOlUvbu7zO52UJm1ZSm0
vJ8gz176zl9R5O/Ar28f7ddlksFmWANgqBSmRCRQLoNBdPcNz4bjmuLc7YFVlYDi
yP1P/e/PNYw=
=laaL
-----END PGP SIGNATURE-----