[drupal-devel] [bug] XSS vulnerability in comments

Mogurito drupal-devel at drupal.org
Wed Sep 14 13:57:38 UTC 2005 

Issue status update for 
http://drupal.org/node/31197
Post a follow up: 
http://drupal.org/project/comments/add/31197

 Project:      Drupal
 Version:      cvs
 Component:    comment.module
 Category:     bug reports
 Priority:     critical
 Assigned to:  Mogurito
 Reported by:  Mogurito
 Updated by:   Mogurito
 Status:       patch (code needs review)

Yes, see this link [1]. I posted a comment with a subject that containt
a script. See the comment.
[1] http://www.agali.org/XSS_BUG




Mogurito



Previous comments:
------------------------------------------------------------------------

Wed, 14 Sep 2005 12:12:05 +0000 : Mogurito

Attachment: http://drupal.org/files/issues/comment.module_13.diff (632 bytes)

The source code interpreted by the browser, have html comment with the
subject by each comment. For example, if we post a comment like
'Hello', Drupal write in the source code . But the problem come when a
post is send with special characters like 'Hello XSS', the comment in
the source code will be closed, provocating that "Hello XSS-->" string
will be show in the page. If the "Hello XSS" string will be replaced by
a script, we can get a XSS Attack.


*Solution*
Analize the subject string and replacing the special characters (, ')
for (<, >, ")


*How*
Adding this lines to the function comment_validate_form:
$edit['subject'] = ereg_replace("", ">", $edit['subject']);
$edit['subject'] = ereg_replace("\'", """, $edit['subject']);


*Notes*
- Sorry, but my english is not very cool.




------------------------------------------------------------------------

Wed, 14 Sep 2005 12:22:34 +0000 : Mogurito

*CORRECTION* (The comment is not complete)


The source code interpreted by the browser, have html comment with the
subject by each comment. For example, if we post a comment like
'Hello', Drupal write in the source code . But the problem come when a
post is send with special characters like '<'. If we post a comment
like '-->Hello XSS', the comment in the source code will be closed,
provocating that "Hello XSS-->" string will be show in the page. If the
"Hello XSS" string will be replaced by a script, we can get a XSS
Attack.


Solution
Analize the subject string and replacing the special characters (<,>,
') for (&<, &>, &")


How
Adding this lines to the function comment_validate_form:
$edit['subject'] = ereg_replace("<", "&<", $edit['subject']);
$edit['subject'] = ereg_replace(">", "&>", $edit['subject']);
$edit['subject'] = ereg_replace(""", "&"", $edit['subject']);


Notes
- Sorry, but my english is not very cool.




------------------------------------------------------------------------

Wed, 14 Sep 2005 13:13:38 +0000 : Thox

Attachment: http://drupal.org/files/issues/comment.module_27.patch (1.04 KB)

I imagine it is wiser to handle this with check_plain() in
theme_comment(), the same as it is handled in theme_node(). See
attached patch against CVS HEAD.




------------------------------------------------------------------------

Wed, 14 Sep 2005 13:17:30 +0000 : tostinni

Can you give us a proof of concept, because, I can't reproduce it.
If I put something between a <script> tag, it is stripped out.


In fact everything rely on the action of filter module, which take care
of stripping undesirable code. And I think that it's doing a good job.

More information about the drupal-devel mailing list