-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vendor Notified: 05/18/09
Vendor Response:  Karoly Negyesi of Drupal security denies issue exists.
 Drupal security has responded to reports of CCK based XSS
vulnerabilities in past with http://drupal.org/node/372836, which
basically shirks the issue.  Although a problem clearly exists, Drupal
seems unconcerned with fixing it, instead semantically hiding the
vulnerability behind a reclassification of permissions that appears only
in SA-CORE-2009-002 rather than in either the Drupal interface or
documentation.

Details of this report are also published at
http://lampsecurity.org/drupal-cck-xss-vulnerability

Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through hundreds of
third party modules.  The Drupal Content Creation Kit (CCK) is a module
that allows site maintainers to modify content types by associating
custom fields with specific content types.  The Drupal CCK module
contains a vulnerability that could allow an authenticated attacker to
inject arbitrary script into administration screens for content types.
This could allow an attacker to issue a cross site scripting (XSS)
attack against Drupal users with elevated privilege levels.

Systems affected:
- -----------------
Drupal 6.12 with CCK 6.x-2.2 was tested and shown to be vulnerable

Mitigating factors:
- -------------------
CCK must be installed and enabled.  Attacker must have 'administer
content types' permissions in order to exploit this vulnerability.

Proof of concept:
- -----------------
1.  Install Drupal 6.12.
2.  Install CCK and enable all CCK functionality through  dminister ->
Modules
3.  Click on Administer -> Content management -> Content types
4.  Select a type and click the 'manage fields' operation
5.  Click 'edit' to edit the node-type
6.  Expand the 'Submission form settings' input area
7.  Fill in "<script>alert('title');<;/script>" for the "Title field label"
8.  Fill in "<script>alert('body');</script>" for the "Body field label"
9.  Click 'Save content type'
10. Click Administer -> Content Management -> Content types
11. Click "manage fields" link for the type selected in #4 above
12. Observe two JavaScript alerts

- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBShHDh5EpbGy7DdYAAQKbfgcAijtPqazvwOhltQmuep/+tP1scvmaifGa
keMcKb7pTyP/GVJxrPoUeCif287myaD25jwL4P3SVS4+cUgTbWbwZGRc5QZdk8Kd
E6GV05WL7Ufo7bmqPecOj4QuiYD7zl/dFX8o188nViqmvB8xnQqRYywL3wRhPSI7
suDuEAeCNKxr5IGzNs5mS6ZaF/gQRF7KKt2yKwlv/MDhvf0uwRU0hfpJ+MLTbCbf
wJNhXoG3aT00prXgmBxsTSzAMBhp4tG2ufBc1aLRYn26lCoBUNO9a3mk+a+xiKQb
TtEDePFbRIw=
=cfte
-----END PGP SIGNATURE-----