Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-262: Drupal Workflow Module Multiple HTML Injection Vulnerabilities

October 30, 2009 13:00 GMT
PROBLEM: The Workflow module for Drupal is prone to multiple HTML-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
PLATFORM: Drupal Workflow 6.x-1.1, Drupal Workflow 5.x-2.3, Drupal Workflow 5.x-1.2, Drupal Workflow 5.x-1.1
ABSTRACT: Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-262.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/36878/info

IMPACT ASSESSMENT: This risk is medium. Attackers can exploit these issues via a browser, but they would need 'administer workflow' permission to carry out the cross-site-scripting attack. 
Discussion:
The Workflow module enables sites to define flexible process management systems. Names of workflows and workflow states are not sanitised to display as plain text, leading to a Cross Site Scripting (XSS) vulnerability. Exploiting this vulnerability would allow a malicious user to gain full administrative access.

Mitigating factors: A malicious user would need 'administer workflow' permission to carry out the cross-site-scripting attack.

Vulnerable:
Workflow module versions Drupal 6.x prior to Workflow 6.x-1.2
Workflow module versions Drupal 5.x prior to Workflow 5.x-2.4

Drupal core is not affected. If you do not use the contributed Workflow module, there is nothing you need to do.

Solution:
Install the latest version.

If you use the Workflow module for Drupal 6.x upgrade to Workflow 6.x-1.2
http://drupal.org/node/612832

If you use the Workflow module for Drupal 5.x upgrade to Workflow 5.x-2.4
http://drupal.org/node/612834
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788