Response to CVE-2014-1607: a purported XSS vulnerability in Event Calendar

Drupal Security Team's picture

CVE-2014-1607 Claims to be a vulnerability in Drupal 7.14 and probably newer versions.

We were unable to reproduce the issue on a fresh Drupal 7.x-dev installation with Event Calendar 7.x-1.4, the latest release.

The description provided by HelpAG in public (NVD), SecurityFocus) and their original messages to the Drupal Security Team failed to include a set of steps to reproduce the problem other than instructions to visit "eventcalander/2013%22%20onmouseover%3dalert%28%27XSSed%27%29%20bad%3d%22". In private communications they clarify that the issue is in the Event Calendar module "release version 7. upwards."

As this video demonstrates, the vulnerability cannot be reproduced as described.

Steps followed in the video:

  1. Install Event Calendar module version 7.x-1.4 or 7.x-1.0
  2. Visit event-created/month/2013"onmouseover%3dalert("XSSed") bad%3d"-11#
  3. View page source and note that all instances of the malicious string have been escaped so they will not be interpreted
  4. Attempt to mouseover the page to trigger execution, note that it doesn't work

We tested the default views provided by the event_calendar. These do not include the path segment "eventcalendar/".

In addition, review of the event calendar module and the views it defines, did not result in us finding code vulnerable to this cross site scripting issue.

An investigation of the vulnerable site as anonymous visitors allowed us to determine that the vulnerability was not created by the Event Calendar module, but by site-specific configuration or code.

We closed the issue as "works as designed" with a request for additional information. Unfortunately, we never received sufficient information to reproduce the problem outside of the reporter's client's site.

Side-note on versions

Drupal core is versioned in the form major.minor, so 7.14 is a version of Drupal. Drupal's modules are versioned in the form corecompat.x-major.minor so 7.x-1.4 is the 5th release in the 1.x branch of the event_calendar module and it is compatible with Drupal 7.

Timeline of major events

  • Fri, 2013-10-18 19:48 - issue reported by CERT Coordination Center
  • Mon, 2013-10-21 15:20 - Issue moved to Calendar queue
  • Tue, 2013-11-05 20:19 - Request for additional information
  • Wed, 2013-11-13 21:15 - Established contact with the reporter
  • Thu, 2013-11-14 05:36 - Contact with the reporter
  • Thu, 2013-11-14 07:43 - Request for additional information
  • Mon, 2013-11-18 07:55 - Contact with the reporter, Event calendar implicated
  • Mon, 2013-11-18 07:57 - Reporter send a screenshot showing a popup, but not the url, url arguments, nor html source
  • Mon, 2013-11-18 09:35 - Drupal Security Team reported to the issue as unable to reproduce, with a request for specific, additional information
  • Wed, 2013-11-27 06:52 - Unable to reproduce from a different team member, with a request for specific, additional information
  • Wed, 2013-11-27 14:50 - Drupal Security Team asked for additional details
  • Thu, 2014-01-09 17:11 - Reporter replies with (insufficiently) sanitized HTML-output from the vulnerable site. Content does not implicate the module, but a custom views header.
  • Thu, 2014-01-09 17:12 - Closed as "works as designed" with a request for additional information
  • Thu, 2014-01-23 - Issue is disclosed on Bugtraq
  • Mon, 2014-01-27 - Drupal Security Team requests MITRE to investigate and revoke the CVE-2014-1607
  • Mon, 2014-01-27 - MITRE asked the reporter to confirm or withdraw the report
  • Wed, 2014-01-29 - MITRE marked the CVE as Disputed (no response from original reporter yet)