[drupal-devel] [bug] XSS vulnerability in comments

eldarin drupal-devel at drupal.org
Wed Sep 14 14:03:12 UTC 2005 

Issue status update for 
http://drupal.org/node/31197
Post a follow up: 
http://drupal.org/project/comments/add/31197

 Project:      Drupal
 Version:      cvs
 Component:    comment.module
 Category:     bug reports
 Priority:     critical
 Assigned to:  Mogurito
 Reported by:  Mogurito
 Updated by:   eldarin
 Status:       patch (code needs review)

Quite serious implications ...
This would of course allow someone to pick up all the user passwords
being typed on pages !!!
The worst one of these is of course the admin user and password. It's
very easy to get some DOM-handling and attaching to the submit of the
user login form.


8^O




eldarin



Previous comments:
------------------------------------------------------------------------

Wed, 14 Sep 2005 12:12:05 +0000 : Mogurito

Attachment: http://drupal.org/files/issues/comment.module_13.diff (632 bytes)

The source code interpreted by the browser, have html comment with the
subject by each comment. For example, if we post a comment like
'Hello', Drupal write in the source code . But the problem come when a
post is send with special characters like 'Hello XSS', the comment in
the source code will be closed, provocating that "Hello XSS-->" string
will be show in the page. If the "Hello XSS" string will be replaced by
a script, we can get a XSS Attack.


*Solution*
Analize the subject string and replacing the special characters (, ')
for (<, >, ")


*How*
Adding this lines to the function comment_validate_form:
$edit['subject'] = ereg_replace("", ">", $edit['subject']);
$edit['subject'] = ereg_replace("\'", """, $edit['subject']);


*Notes*
- Sorry, but my english is not very cool.




------------------------------------------------------------------------

Wed, 14 Sep 2005 12:22:34 +0000 : Mogurito

*CORRECTION* (The comment is not complete)


The source code interpreted by the browser, have html comment with the
subject by each comment. For example, if we post a comment like
'Hello', Drupal write in the source code . But the problem come when a
post is send with special characters like '<'. If we post a comment
like '-->Hello XSS', the comment in the source code will be closed,
provocating that "Hello XSS-->" string will be show in the page. If the
"Hello XSS" string will be replaced by a script, we can get a XSS
Attack.


Solution
Analize the subject string and replacing the special characters (<,>,
') for (&<, &>, &")


How
Adding this lines to the function comment_validate_form:
$edit['subject'] = ereg_replace("<", "&<", $edit['subject']);
$edit['subject'] = ereg_replace(">", "&>", $edit['subject']);
$edit['subject'] = ereg_replace(""", "&"", $edit['subject']);


Notes
- Sorry, but my english is not very cool.




------------------------------------------------------------------------

Wed, 14 Sep 2005 13:13:38 +0000 : Thox

Attachment: http://drupal.org/files/issues/comment.module_27.patch (1.04 KB)

I imagine it is wiser to handle this with check_plain() in
theme_comment(), the same as it is handled in theme_node(). See
attached patch against CVS HEAD.




------------------------------------------------------------------------

Wed, 14 Sep 2005 13:17:30 +0000 : tostinni

Can you give us a proof of concept, because, I can't reproduce it.
If I put something between a <script> tag, it is stripped out.


In fact everything rely on the action of filter module, which take care
of stripping undesirable code. And I think that it's doing a good job.




------------------------------------------------------------------------

Wed, 14 Sep 2005 13:57:35 +0000 : Mogurito

Yes, see this link [1]. I posted a comment with a subject that containt
a script. See the comment.
[1] http://www.agali.org/XSS_BUG

More information about the drupal-devel mailing list