11 May 2010, 16:55

XSS vulnerability fixed in Drupal module - Update

Drupal Logo The development team behind the Drupal module Context have released version 6.x-2.0-rc4, which fixes a cross-site scripting (XSS) vulnerability when displaying block descriptions. If a user with 'administer blocks' permission clicks on a crafted link, JavaScript contained in the link is executed with the privileges of the Drupal page. Attackers can exploit this to gain access to a system. Just a few weeks ago, a 'simple' XSS vulnerability in a bug-tracking system allowed root access to Apache Software Foundation servers, so XSS vulnerabilities are certainly not to be treated lightly.

Although the Context module is a release candidate, it is nonetheless in use on many live sites, including the US President's office's White House site, which uses a "Context HTTP Headers" module that also requires the Context module. Because the module is still a release candidate, in accordance with their security policy the Drupal developers have not released an official warning, despite the fact that they do otherwise warn of vulnerabilities in third party modules.

Drupal security team member Greg Knaddison published a list of workarounds on his blog, prior to the Context developers releasing their update.

Update: According to Drupal security team member Heine Deelstra, there is no URL manipulation or JavaScript contained in the link itself involved in the exploitation of the vulnerability. The vulnerability occurs if a user with 'administrator blocks' permission has added JavaScript to a block description on the block administration page. The impact is low since not that many sites using context have role seperation between block admins and other admins. Only a small subsection of the sites using the context release candidate are affected.

See also: