The text of this advisory is also available at
http://www.madirish.net/?article=441

Description of Vulnerability:
- - -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various third
party modules.  The Contact module "enables the use of both personal and
site-wide contact forms."  The Contact module is one of the Drupal core
modules, distributed with every Drupal site, but not enabled by default.

Systems affected:
- - -----------------
Drupal 6.14 and 5.20 were tested and shown to be vulnerable.

Impact:
- - -------
Cross site scripting (XSS) vulnerabilities may expose site administrative
accounts to compromise which could lead to web server process compromise.

Mitigating factors:
- - -------------------
To carry out the XSS exploit below the attacker must have 'administer
site-wide contact form' permissions.

Proof of Concept:
- ---------------------
1.  Install Drupal 6.14 and enable the Contact module from Administer ->
Modules
2.  Click Administer -> Site building -> Contact form
3.  Click 'Add category'
4.  Enter "<script>alert('xss');</script>" in the 'Category' text area
5.  Enter arbitrary recipients and click the 'Save' button
6.  Observe the rendered JavaScript at ?q=admin/build/contact

Technical details:
- ------------------------
The Contact module fails to sanitize the output of the contact category
names before display.  Applying the following patch fixes this
vulnerability.

Patch
- -------
Applying the following patch mitigates these threats in Drupal 6.14.

--- drupal-6.14/modules/contact/contact.admin.inc       2007-11-09
02:55:13.000000000 -0500
+++ drupal-6.14/modules/contact/contact.admin.inc 2009-11-11
15:53:55.684432827 -0500
@@ -13,7 +13,7 @@ function contact_admin_categories() {
   $result = db_query('SELECT cid, category, recipients, selected FROM
{contact} ORDER BY weight, category');
   $rows = array();
   while ($category = db_fetch_object($result)) {
-    $rows[] = array($category->category, $category->recipients,
($category->selected ? t('Yes') : t('No')), l(t('edit'),
'admin/build/contact/edit/'. $category->cid), l(t('delete'),
'admin/build/contact/delete/'. $category->cid));
+    $rows[] = array(filter_xss($category->category), $category->recipients,
($category->selected ? t('Yes') : t('No')), l(t('edit'),
'admin/build/contact/edit/'. $category->cid), l(t('delete'),
'admin/build/contact/delete/'. $category->cid));
   }
   $header = array(t('Category'), t('Recipients'), t('Selected'),
array('data' => t('Operations'), 'colspan' => 2));


Applying the following patch mitigates these threats in Drupal 5.20

--- drupal-5.20/modules/contact/contact.module    2008-09-15
02:19:06.000000000 -0400
+++ drupal-5.20/modules/contact/contact.module  2009-11-11
15:55:33.252401609 -0500
@@ -145,7 +145,7 @@ function contact_admin_categories() {
   $result = db_query('SELECT cid, category, recipients, selected FROM
{contact} ORDER BY weight, category');
   $rows = array();
   while ($category = db_fetch_object($result)) {
-    $rows[] = array($category->category, $category->recipients,
($category->selected ? t('Yes') : t('No')), l(t('edit'),
'admin/build/contact/edit/'. $category->cid), l(t('delete'),
'admin/build/contact/delete/'. $category->cid));
+    $rows[] = array(filter_xss($category->category), $category->recipients,
($category->selected ? t('Yes') : t('No')), l(t('edit'),
'admin/build/contact/edit/'. $category->cid), l(t('delete'),
'admin/build/contact/delete/'. $category->cid));
   }
   $header = array(t('Category'), t('Recipients'), t('Selected'),
array('data' => t('Operations'), 'colspan' => 2));

Vendor Response
-------------------------
Upgrade to the latest version.
http://drupal.org/node/661586

-- 
Justin C. Klein Keane
http://www.MadIrish.net