[Security-news] SA-CORE-2009-005 - Drupal core - Cross site scripting

Thu Apr 30 00:48:51 UTC 2009

  * Advisory ID: DRUPAL-SA-CORE-2009-005
  * Project: Drupal core
  * Version: 5.x, 6.x
  * Date: 2009-April-29
  * Security risk: Moderately critical
  * Exploitable from: Remote
  * Vulnerability: Cross site scripting

-------- DESCRIPTION  
---------------------------------------------------------

When outputting user-supplied data Drupal strips potentially dangerous HTML
attributes and tags or escapes characters which have a special meaning in
HTML. This output filtering secures the site against cross site scripting
attacks via user input. Certain byte sequences that are valid in the UTF-8
specification are potentially dangerous when interpreted as UTF-7. Internet
Explorer 6 and 7 may decode these characters as UTF-7 if they appear before
the <meta http-equiv="Content-Type" /> tag that specifies the page content as
UTF-8, despite the fact that Drupal also sends a real HTTP header specifying
the content as UTF-8. This behaviour enables malicious users to insert and
execute Javascript in the context of the website if site visitors are allowed
to post content. Wikipedia has more information about cross site scripting
[1] (XSS). In addition, Drupal core also has a very limited information
disclosure vulnerability under very specific conditions. If a user is tricked
into visiting the site via a specially crafted URL and then submits a form
(such as the search box) from that page, the information in their form
submission may be directed to a third-party site determined by the URL and
thus disclosed to the third party. The third party site may then execute a
CSRF [2] attack against the submitted form. This vulnerability is limited to
forms present on the frontpage. The user login form is not vulnerable.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Drupal 5.x before version 5.17.
  * Drupal 6.x before version 6.11.

-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * If you are running Drupal 6.x then upgrade to Drupal 6.11 [3].
  * If you are running Drupal 5.x then upgrade to Drupal 5.17 [4].

If you are unable to upgrade immediately, you can apply a patch to secure
your installation until you are able to do a proper upgrade. Theses patches
fix the security vulnerability, but does not contain other fixes which were
released in Drupal 5.17 or Drupal 6.11.
  * To patch Drupal 6.10 use SA-CORE-2009-005-6.10.patch [5].
  * To patch Drupal 5.16 use SA-CORE-2009-005-5.16.patch [6].

As an alternate solution if you are unable to upgrade immediately, you can
alter your page template following the pattern in the core changes. Open your
theme's main page.tpl.php file as well as any other page templates like
page-node.tpl.php or page-front.tpl.php and move the line that is printing
$head (<?php print $head ?>) above line with the <title> tag, so that it is
the first item after the <head>.
-------- REPORTED BY  
---------------------------------------------------------

The UTF-7 XSS issue was reported by pod.Edge. The information disclosure
vulnerability was reported by Moritz Naumann [7].
-------- FIXED BY  
------------------------------------------------------------

The Drupal security team
-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://en.wikipedia.org/wiki/Xss
[2] http://en.wikipedia.org/wiki/Cross-site_request_forgery
[3] http://ftp.drupal.org/files/projects/drupal-6.11.tar.gz
[4] http://ftp.drupal.org/files/projects/drupal-5.17.tar.gz
[5] http://drupal.org/files/sa-core-2009-005/SA-CORE-2009-005-6.10.patch
[6] http://drupal.org/files/sa-core-2009-005/SA-CORE-2009-005-5.16.patch
[7] http://moritz-naumann.com/