Drupal 6.17 faq and faq search modules is containing XSS vulnerability
Drupal 6.17 faq and faq search modules is containing XSS vulnerability
This code seemed suspicious for me when I was adding pager for FAQ 6.x-1.12 modules feature tho theese modules:
[geshifilter-php] Faq.module,v 1.1.4.52.2.145 2010/10/29 : function faq_view_question(&$data, $node, $path = NULL, $anchor = NULL) { $disable_node_links = variable_get('faq_disable_node_links', FALSE); $question = ''; if ($disable_node_links) { if (empty($path) && empty($anchor)) { $question = check_plain($node->title); } elseif (empty($path)) { $question = '<a name="' . $anchor . '" id="' . $anchor . '">' . check_plain($node->title) .'</a>'; } else { $options = array(); if ($anchor) { $options['attributes'] = array('id' => $anchor); } $question = l($node->title, $path, $options); } } else { if (empty($anchor)) { $question = l($node->title, "node/$node->nid"); } else { $question = l($node->title, "node/$node->nid", array("attributes" => array("name" => "$anchor", "id" => "$anchor"))); } } if (variable_get('faq_display', 'questions_top') != 'hide_answer' && !empty($node->detailed_question) && variable_get('faq_question_length', 'short') == 'both') { $question .= '<div class="faq-detailed-question">'. $node->detailed_question .'</div>'; } $data['question'] = $question; } [/geshifilter-php]
"Detailed question" field is not filtered and is vulnerable for active XSS:
[geshifilter-php]
<script>alert('CSS')</script>
[/geshifilter-php]
If you enable full question display in page layout, then code below will display window with "CSS" word.
To avoid it use check_markup function, which is filter input according choosed format:
[geshifilter-php]
+ $node->detailed_question = check_markup($node->detailed_question, $node->format, FALSE);
$question .= '<div class="faq-detailed-question">'. $node->detailed_question .'</div>';
[/geshifilter-php]
FAQ Search 6.x-1.3-beta3 does not filter question field:
[geshifilter-php]
faq_search.find.inc,v 1.1.2.1 2009/09/08:
function faq_search_find() {
$term = strip_tags(drupal_substr($_POST['keyword'], 0, 100));
$query = "SELECT question,nid
FROM {faq_questions}
WHERE question LIKE '%%%s%%'
ORDER BY question asc";
$result = db_query($query, $term);
$string = "";
while ($row = db_fetch_object($result)) {
$string .= "<a href='/". drupal_get_path_alias('node/'. $row->nid)."'>". $row->question ."</a>";
}
if ( empty($string) ) {
$string = t("<p class='message'>No matches!</p>");
}
echo $string;
exit;
[/geshifilter-php]
You can also use check_markup function to prevent XSS.
Note changed sql query according questions publication status.
[geshifilter-php] + $query = "SELECT q.question,q.nid FROM {faq_questions} q,{node} n WHERE q.nid=n.nid and n.status=1 and q.question LIKE '%%%s%%' ORDER BY q.question asc"; + $row->question = check_markup($row->question, FILTER_FORMAT_DEFAULT, FALSE); $string .= "<a href='/". drupal_get_path_alias('node/'. $row->nid)."'>". $row->question ."</a>"; [/geshifilter-php]
|
Нажимая кнопку «Сохранить», я подтверждаю свою дееспособность, согласие на получение информации от NetK, согласие на обработку персональных данных в соответствии с Политикой конфиденциальности и Пользовательским соглашением.