what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Drupal Panels Cross Site Scripting

Drupal Panels Cross Site Scripting
Posted Jan 31, 2011
Authored by Justin C. Klein Keane

The Drupal Panels module suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | aa5cfc88566f07e1009870ca9ea3e273c1b7bbcae3e506c69c86ba57bfc6bf5b

Drupal Panels Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL. The Drupal Panels module
(http://drupal.org/project/panels) "allows a site administrator to
create customized layouts for multiple uses. At its core it is a drag
and drop content manager that lets you visually design a layout and
place content within that layout." Unfortunately the Panels module
contains an arbitrary HTML injection vulnerability (also known as cross
site scripting, or XSS) due to the fact that it fails to sanitize div
classes and id specifications for panels before display.

Systems affected:
- -----------------
Drupal 5.21 with Panels 5.x-1.2 was tested and shown to be vulnerable

Impact
- ------
User could inject arbitrary scripts into pages affecting site users.
This could result in administrative account compromise leading to web
server process compromise. A more likely scenario would be for an
attacker to inject hidden content (such as iframes, applets, or embedded
objects) that would attack client browsers in an attempt to compromise
site users' machines. This vulnerability could also be used to launch
cross site request forgery (XSRF) attacks against the site that could
have other unexpected consequences.

Mitigating factors:
- -------------------
In order to exploit this vulnerability the attacker must have
credentials to an authorized account that has been assigned the 'use
page manager' and 'administer advanced pane settings' permissions. This
could be accomplished via social engineering, brute force password
guessing, or abuse or legitimate credentials.

Proof of concept:
- -----------------
1. Install Drupal 5, Panels 5.x-1.2 and Ctools module (a prerequisite)
2. Enable the Panels module and the page manager in Ctools from
?q=/admin/build/modules
3. Administer panels from ?q=/admin/build/panels and click on the
'Panel page' link on the left
4. Check 'Make this your site home page' and fill in arbitrary values
for the rest
5. In the resulting screen
(?q=admin/build/pages/add/page-[page_name]/next) select the 'Flexible'
and 'Builders' from the Category drop down
6. Click continue
7. Enter arbitrary values in the resulting form
8. Click finish then 'Update and save'
9. In the Panel Content designer
(?q=admin/build/pages/nojs/operation/page-[page_name]/handlers/page_[page_name]_panel_context/content
click the gear in the 'Center' region
10. Select 'Add content'
11. Select 'Existing node' and enter the nid of an existing node.
12. Click the gear to the right of the header in the new box preview of
the node
13. Select 'CSS Properties'
14. In the shadow box that pops up enter
'"><script>alert('xss1');</script><div id="' for the 'CSS ID'
15. Enter '"><script>alert('xss1');</script><div id="' for the 'CSS class'
16. Click 'Update and preview' to observe the Javascript alerts
17. Click 'Save' to store these values so they are displayed on the
home page


Patch:
- ------------------------------------------
Applying the following patch mitigates this issue in version 5.x-1.2

- --- modules/panels/content_types/custom.inc 2007-03-15
19:13:41.000000000 -0400
+++ modules/panels/content_types/custom.inc 2011-01-14
12:04:23.371814132 -0500
@@ -16,8 +16,8 @@ function panels_custom_panels_content_ty
*/
function panels_content_custom($conf) {
$title = filter_xss_admin($conf['title']);
- - $css_id = filter_xss_admin($conf['css_id']);
- - $css_class = filter_xss_admin($conf['css_class']);
+ $css_id = str_replace('"', '', filter_xss_admin($conf['css_id']));
+ $css_class = str_replace('"', '', filter_xss_admin($conf['css_class']));
$body = check_markup($conf['body'], $conf['format'], FALSE);
return theme('panels_content_custom', $title, $body, $css_id,
$css_class);
}

Vendor Response:
- ------------------------------------------
Drupal security team no longer supports resolution of vulnerabilities in
Drupal 5. Module maintainer notified in public forums.

Details of this vulnerability are also posted at
http://www.madirish.net/?article=478

- --
Justin Klein Keane
http://www.MadIrish.net

The digital signature on this e-mail may be confirmed using the
PGP key located at: http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAk1HLrEACgkQkSlsbLsN1gA8dAb+KWZ4opsQLGLe8lseM0JNxigK
2GUACkPq6kuAIarYcpogWLE8AbQEpNTtLTOgSnHtYMV69FBaDibgwY/ZLBP9JsNC
5iKopCmvEAp8CB9LC/jSFffoiIBNUFJmmFl8Zk+elMbN4uDgApLpUA67iIxrGH1e
8K8iC8a7j13WTdh6a13x3+GVO7ezfVrlxoRKLJWX/S+LmWfFAwO0oPSom7aH0Kpl
CewLQgi/p13kTNmyeMmjLdzUaboQpRetzv3PWuZR/+m9FC9CP1I9hwhQCaE4R1WK
NMJ0Aj9V/k1eY5Giezg=
=uoO2
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close