full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] XSS Vulnerability in Drupa

[Full-disclosure] XSS Vulnerability in Drupal's Node Blocks contributed module (6.x-1.3 and 5.x-1.1)

From: Marty Barbella <martybarbella_at_nospam>
Date: Thu Jan 14 2010 - 14:53:21 GMT
To: full-disclosure@lists.grok.org.uk

XSS Vulnerability in Drupal's Node Blocks contributed module (6.x-1.3 and 5.x-1.1)

Discovered by Martin Barbella <martybarbella@gmail.com>

Description of Vulnerability:

Drupal is a free software package that allows an individual or a community of users to easily publish, manage and organize a wide variety of content on a website. (From: http://drupal.org/about)

The Node Blocks module allows users to specify content type(s) as being a block. This allows the content managers of the site to edit the block text and title without having to access the block administration page. (From: http://drupal.org/project/nodeblock)

The block title is not properly sanitized when a user displays a block created from a node, resulting in a cross site scripting vulnerability.

Systems affected:

This has been confirmed in Node Blocks 6.x-1.3 and 5.x-1.1. Previous versions may also be affected.


This is an example of a stored cross site scripting vulnerability. Stored attacks are those where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. (From OWASP:

Mitigating factors:

A user must be able to create nodes of a type used by Node Blocks, and this node must be added as a block by a user with the administer blocks permission.

Proof of concept:

  1. Install the Node Blocks module
  2. Create a content type with available as block enabled
  3. As a user with permission to create nodes of this type, create a node with the title "<script>alert('XSS')</script>"
  4. As a user that can administer blocks, add this block to a region
  5. Note that an alert box will be displayed when the block is generated on a page


Install version 6.x-1.4 or 5.x-1.2 of the Node Blocks module.


2009-12-29 - Drupal Security notified.
2010-01-13 - Security announcement released on drupal.org (http://drupal.org/node/683598)


This vulnerability was reported by Martin Barbella to Khalid Baheyeldin at Drupal Security, and fixed by Thomas Turnbull.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/