Skip to Content
 Русский Русский    English English   

 

Drupal 6.17 faq and faq search modules is containing XSS vulnerability

Drupal 6.17 faq and faq search modules is containing XSS vulnerability

This code seemed suspicious for me when I was adding pager for FAQ 6.x-1.12 modules feature tho theese modules:

Faq.module,v 1.1.4.52.2.145 2010/10/29 :
function faq_view_question(&$data, $node, $path = NULL, $anchor = NULL) {
 $disable_node_links = variable_get('faq_disable_node_links', FALSE);
  $question = '';
  if ($disable_node_links) {
    if (empty($path) && empty($anchor)) {
      $question = check_plain($node->title);
    }
    elseif (empty($path)) {
      $question = '<a name="' . $anchor . '" id="' . $anchor . '">' . check_plain($node->title) .'</a>';
    }
    else {
      $options = array();
      if ($anchor) {
        $options['attributes'] = array('id' => $anchor);
      }
      $question = l($node->title, $path, $options);
    }
  }
  else {
    if (empty($anchor)) {
      $question = l($node->title, "node/$node->nid");
    }
    else {
      $question = l($node->title, "node/$node->nid", array("attributes" => array("name" => "$anchor", "id" => "$anchor")));
    }
  }
  if (variable_get('faq_display', 'questions_top') != 'hide_answer' && !empty($node->detailed_question) && variable_get('faq_question_length', 'short') == 'both') {
    $question .= '<div class="faq-detailed-question">'. $node->detailed_question .'</div>';
  }
  $data['question'] = $question;
}

"Detailed question" field is not filtered and is vulnerable for active XSS:

<script>alert('CSS')</script>

If you enable full question display in page layout, then code below will display window with "CSS" word.

To avoid it use check_markup function, which is filter input according choosed format:

+  $node->detailed_question = check_markup($node->detailed_question, $node->format, FALSE);
   $question .= '<div class="faq-detailed-question">'. $node->detailed_question .'</div>';

FAQ Search 6.x-1.3-beta3 does not filter question field:

faq_search.find.inc,v 1.1.2.1 2009/09/08:
function faq_search_find() {
  $term = strip_tags(drupal_substr($_POST['keyword'], 0, 100));
  $query = "SELECT question,nid
  FROM {faq_questions}
  WHERE question LIKE '%%%s%%'
  ORDER BY question asc"
;
  $result = db_query($query, $term);
  $string = "";
  while ($row = db_fetch_object($result)) {
    $string .= "<a href='/". drupal_get_path_alias('node/'. $row->nid)."'>". $row->question ."</a>";
  }
  if ( empty($string) ) {
    $string = t("<p class='message'>No matches!</p>");
  }
  echo $string;
  exit;

You can also use check_markup function to prevent XSS.
Note changed sql query according questions publication status.

+  $query = "SELECT q.question,q.nid
  FROM {faq_questions} q,{node} n
  WHERE q.nid=n.nid and n.status=1
  and q.question LIKE '%%%s%%'
  ORDER BY q.question asc"
;

+  $row->question = check_markup($row->question, FILTER_FORMAT_DEFAULT, FALSE);
   $string .= "<a href='/". drupal_get_path_alias('node/'. $row->nid)."'>". $row->question ."</a>";

Your rating: None Average: 3.5 (4 votes)


 Main    Download    Documentation    Demo    Bug tracking    License    Blogs