Cross-site scripting (XSS) vulnerability in the RealName module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via a realname (aka real name) element.
Drupal websites using the RealName module are vulnerable to Cross-Site Scripting (XSS), allowing attackers to inject malicious scripts into web pages. This can lead to session hijacking, defacement, and the theft of sensitive user data. Successful exploitation requires a user to view a crafted page containing the malicious script.
Step 1: Payload Delivery: The attacker crafts a malicious payload, typically JavaScript, and injects it into the 'realname' field of a Drupal user account or during a user profile update. This can be done through direct database manipulation if the attacker has sufficient privileges, or by tricking an administrator into creating a user with a malicious realname.
Step 2: Data Storage: The malicious payload is stored in the Drupal database associated with the user's 'realname' field.
Step 3: Victim Interaction: A legitimate user visits a page on the Drupal website that displays the user's profile information, including the 'realname'. This could be a user profile page, a comment section, or any other area where the realname is rendered.
Step 4: Payload Execution: The vulnerable RealName module retrieves the attacker's malicious payload from the database and renders it directly in the HTML output without proper sanitization. The victim's browser then executes the injected JavaScript code.
Step 5: Exploitation: The injected JavaScript code can perform various malicious actions, such as stealing the victim's session cookies (allowing the attacker to impersonate the user), redirecting the victim to a phishing site, defacing the website, or executing other client-side attacks.
The vulnerability stems from a failure to properly sanitize user-supplied input within the RealName module before rendering it on a webpage. Specifically, the module does not adequately filter or encode the 'realname' field, allowing attackers to inject arbitrary HTML or JavaScript code. This injected code is then executed by the victim's browser when they view a page containing the malicious realname data. The root cause is a lack of input validation and output encoding (e.g., HTML escaping) of the realname field. The module likely directly renders the user-provided 'realname' without sanitization, leading to the XSS vulnerability. The flaw is in the module's core logic for displaying user profile information or other areas where the 'realname' is displayed.