Full Disclosure mailing list archives

Drupal Embedded Media Field Module XSS Vuln


From: Justin Klein Keane <justin () madirish net>
Date: Thu, 09 Dec 2010 12:47:20 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Details of this disclosure can also be found at
http://www.madirish.net/?article=474

Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL.  The Drupal Embedded Media Field module
(http://drupal.org/project/emfield) "will create fields for content
types that can be used to display video, image, and audio files from
various third party providers"  Unfortunately the Embedded Media Field
module contains an arbitrary HTML injection vulnerability (also known as
cross site scripting, or XSS) due to the fact that it fails to sanitize
filenames of thumbnail images before display.

Systems affected:
- -----------------
Drupal 6.19 with Embedded Media Field 6.x-1.25 and CCK 6.x-2.8 was
tested and shown to be vulnerable

Impact
- ------
Users could inject arbitrary scripts into pages affecting other site
users.  This could result in administrative account compromise leading
to web server process compromise.  A more likely scenario would be for
an attacker to inject hidden content (such as iframes, applets, or
embedded objects) that would attack client browsers in an attempt to
compromise site users' machines.  This vulnerability could also be used
to launch cross site request forgery (XSRF) attacks against the site
that could have other unexpected consequences.

Mitigating factors:
- -------------------
In order to exploit this vulnerability the attacker must have the
ability to edit content of a content type with an embedded media field.
 Also, many operating systems prevent the creation of files with slashes
in their names so clever use of scripting without slashes is required to
exploit this vulnerability.

Proof of concept:
- -----------------
1.  Install Drupal 6-19, CCK module, and Embedded Media Field module
version 6.x-1.25
2.  Enable the Content, Embedded Media Field, Embedded Media Thumbnail
and Embedded Video Field modules from ?q=/admin/build/modules
3.  Alter the default 'Story' content type at
?q=admin/content/node-type/story/fields
4.  Add a 'New Field' in the form at the bottom of this page with the
label 'video' the field name 'field_video' the type 'Embedded Video' and
the form element '3rd Party Video' then click the 'Save' button
5.  Configure the new video field from
?q=admin/content/node-type/story/fields/field_video
6.  Select YouTube as a content provider for convenience and be sure
'Allow custom thumbnails for this field' is checked and click 'Save
field settings' button at the bottom of the form
7.  Create a new piece of story content from ?q=node/add/story entering
arbitrary values.  For the 'Video custom thumbnail' choose an image with
a name like "<image src='no.jpg' onerror='alert("xss")'>.png" and click
the 'Upload' button
8.  Observe the rendered javascript alert dialogue
9.  Click the 'Save' button so that the XSS persists to future node edits

Patch:
- ------------------------------------------
Applying the following patch mitigates this issue in version 6.x-1.25

- --- emfield/contrib/emthumb/emthumb.module    2010-07-19 11:12:47.000000000
- -0400
+++ emfield/contrib/emthumb/emthumb.module      2010-11-04 16:10:48.000000000
- -0400
@@ -157,7 +157,7 @@ function emthumb_widget_element_process(

     $element['emthumb']['description'] = array(
       '#type' => 'markup',
- -      '#value' => '<strong>'. t('Filename:') .' </strong>'.
$file['filename'],
+      '#value' => '<strong>'. t('Filename:') .' </strong>'.
check_plain($file['filename']),
     );

     // Overwrite with an input field if custom_alt is flagged.

Vendor Response
- ---------------
http://drupal.org/node/992924


- -- 
Justin Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed using
the public key at http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAk0BFicACgkQkSlsbLsN1gAr4wb/ZEM6I7WsGlo1Dmx58OAVl0nt
3jqcUBA6bqyZW486gyHmvavWxMofK8La1HTzmHCexspJ+M1u2oGXkp8cK6SNEiza
AIgO65vCgBsmKrfdOoy5kE9P+G+FDNOeCrHA5yEKWD1+IWzdRln+mtl0NGgSeEPn
CWkA7HW3nHlOZAVcdL5oWAYzSILD1iCh3VeVvDgtq42rUcjePwULWFgskjJ+Wcaw
q/YHEdBJO6Nd4G0I/KnYoD0HaCNcqhDcG7iaN+OXKdSNYnm5cfsCEpX4wlYpRDSV
b370KxPHrXlVrDe70iQ=
=tHrF
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Current thread: