-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Description of Vulnerability: - ----------------------------- Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Better Formats module (http://drupal.org/project/better_formats) contains a cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize format names before display. Systems affected: - ----------------- Drupal 6.16 with Better Formats 6.x-1.2 was tested and shown to be vulnerable Impact - ------ User could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise. Mitigating factors: - ------------------- In order to execute arbitrary script injection malicious users must have 'Administer filters' permission. The Drupal security team has classified vulnerabilities that require this permission (http://drupal.org/node/475848) as "display bugs" because access to this permission allows for alteration of input specifications that could allow users with permissions to create content to craft arbitrary PHP. However, in a situation where a user had "administer filters" permission but could not create content this vulnerability could be used to attack other Drupal users. Patch: - ------------------------------------------ Applying the following patch mitigates this issue in version 6.x-1.2. - --- better_formats/better_formats.module 2010-02-05 08:59:18.000000000 -0500 +++ better_formats/better_formats.module 2010-04-27 11:35:53.444189426 -0400 @@ -537,7 +537,7 @@ function better_formats_filter_form($val $form = array( '#type' => 'fieldset', - - '#title' => $fieldset_title, + '#title' => check_plain($fieldset_title), '#collapsible' => $collapsible, '#collapsed' => $collapsed, '#weight' => $weight, @@ -551,7 +551,7 @@ function better_formats_filter_form($val $parents_for_id = array_merge($parents, array($format->format)); $form[$format->format] = array( '#type' => 'radio', - - '#title' => $format->name, + '#title' => check_plain($format->name), '#default_value' => $default, '#return_value' => $format->format, '#parents' => $parents, - -- Justin C. Klein Keane http://www.MadIrish.net The digital signature on this message can be confirmed using the public key at http://www.madirish.net/gpgkey -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPsEAQECAAYFAkvXC7UACgkQkSlsbLsN1gAYFQb4mjTDJY/6KP2JQIv0pK9H/20s g/+dwvKFc78AQMMKqDzi3rfqF4L+RzE6bHPsKHmN7yWIxIGMccbL13rOAvarEzgZ jYyfC24Lbhla38p4JkwWltxPNgsH10wXLGdv+BsiFp8oZUpuAQez0N0SNxhr1mX5 rzZ0fgBEQm7WMmgH9qyLdso1erEQ5sLgPmED5dsaYK2Z2QHBgN19Ed0P1iEZpTdy anFseTfo00Uts6zOd3loQ/ZeaAOAnYFZwunOtHVurFPyWpAaM1DGVAOHHWtR265d jQMygOdRmQ5qtV/HpA== =z0IC -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/