Русский
EnglishDrupal 6.17 faq and faq search modules is containing XSS vulnerability
Posted: 28.01.2012 - 20:03 | Author: Svetlana Drupal 6.17 faq and faq search modules is containing XSS vulnerability
This code seemed suspicious for me when I was adding pager for FAQ 6.x-1.12 modules feature tho theese modules:
Faq.module,v 1.1.4.52.2.145 2010/10/29 :
function faq_view_question(&$data, $node, $path = NULL, $anchor = NULL) {
$disable_node_links = variable_get('faq_disable_node_links', FALSE);
$question = '';
if ($disable_node_links) {
if (empty($path) && empty($anchor)) {
$question = check_plain($node->title);
}
elseif (empty($path)) {
$question = '<a name="' . $anchor . '" id="' . $anchor . '">' . check_plain($node->title) .'</a>';
}
else {
$options = array();
if ($anchor) {
$options['attributes'] = array('id' => $anchor);
}
$question = l($node->title, $path, $options);
}
}
else {
if (empty($anchor)) {
$question = l($node->title, "node/$node->nid");
}
else {
$question = l($node->title, "node/$node->nid", array("attributes" => array("name" => "$anchor", "id" => "$anchor")));
}
}
if (variable_get('faq_display', 'questions_top') != 'hide_answer' && !empty($node->detailed_question) && variable_get('faq_question_length', 'short') == 'both') {
$question .= '<div class="faq-detailed-question">'. $node->detailed_question .'</div>';
}
$data['question'] = $question;
}
function faq_view_question(&$data, $node, $path = NULL, $anchor = NULL) {
$disable_node_links = variable_get('faq_disable_node_links', FALSE);
$question = '';
if ($disable_node_links) {
if (empty($path) && empty($anchor)) {
$question = check_plain($node->title);
}
elseif (empty($path)) {
$question = '<a name="' . $anchor . '" id="' . $anchor . '">' . check_plain($node->title) .'</a>';
}
else {
$options = array();
if ($anchor) {
$options['attributes'] = array('id' => $anchor);
}
$question = l($node->title, $path, $options);
}
}
else {
if (empty($anchor)) {
$question = l($node->title, "node/$node->nid");
}
else {
$question = l($node->title, "node/$node->nid", array("attributes" => array("name" => "$anchor", "id" => "$anchor")));
}
}
if (variable_get('faq_display', 'questions_top') != 'hide_answer' && !empty($node->detailed_question) && variable_get('faq_question_length', 'short') == 'both') {
$question .= '<div class="faq-detailed-question">'. $node->detailed_question .'</div>';
}
$data['question'] = $question;
}
"Detailed question" field is not filtered and is vulnerable for active XSS:
<script>alert('CSS')</script>
If you enable full question display in page layout, then code below will display window with "CSS" word.
To avoid it use check_markup function, which is filter input according choosed format:
+ $node->detailed_question = check_markup($node->detailed_question, $node->format, FALSE);
$question .= '<div class="faq-detailed-question">'. $node->detailed_question .'</div>';
$question .= '<div class="faq-detailed-question">'. $node->detailed_question .'</div>';
FAQ Search 6.x-1.3-beta3 does not filter question field:
faq_search.find.inc,v 1.1.2.1 2009/09/08:
function faq_search_find() {
$term = strip_tags(drupal_substr($_POST['keyword'], 0, 100));
$query = "SELECT question,nid
FROM {faq_questions}
WHERE question LIKE '%%%s%%'
ORDER BY question asc";
$result = db_query($query, $term);
$string = "";
while ($row = db_fetch_object($result)) {
$string .= "<a href='/". drupal_get_path_alias('node/'. $row->nid)."'>". $row->question ."</a>";
}
if ( empty($string) ) {
$string = t("<p class='message'>No matches!</p>");
}
echo $string;
exit;
function faq_search_find() {
$term = strip_tags(drupal_substr($_POST['keyword'], 0, 100));
$query = "SELECT question,nid
FROM {faq_questions}
WHERE question LIKE '%%%s%%'
ORDER BY question asc";
$result = db_query($query, $term);
$string = "";
while ($row = db_fetch_object($result)) {
$string .= "<a href='/". drupal_get_path_alias('node/'. $row->nid)."'>". $row->question ."</a>";
}
if ( empty($string) ) {
$string = t("<p class='message'>No matches!</p>");
}
echo $string;
exit;
You can also use check_markup function to prevent XSS.
Note changed sql query according questions publication status.
+ $query = "SELECT q.question,q.nid
FROM {faq_questions} q,{node} n
WHERE q.nid=n.nid and n.status=1
and q.question LIKE '%%%s%%'
ORDER BY q.question asc";
+ $row->question = check_markup($row->question, FILTER_FORMAT_DEFAULT, FALSE);
$string .= "<a href='/". drupal_get_path_alias('node/'. $row->nid)."'>". $row->question ."</a>";
FROM {faq_questions} q,{node} n
WHERE q.nid=n.nid and n.status=1
and q.question LIKE '%%%s%%'
ORDER BY q.question asc";
+ $row->question = check_markup($row->question, FILTER_FORMAT_DEFAULT, FALSE);
$string .= "<a href='/". drupal_get_path_alias('node/'. $row->nid)."'>". $row->question ."</a>";
|
Нажимая кнопку «Сохранить», я подтверждаю свою дееспособность, согласие на получение информации от NetK, согласие на обработку персональных данных в соответствии с Политикой конфиденциальности и Пользовательским соглашением.
