Drupal Embedded Media Field Module Arbitrary File Upload and Code Exec Vulnerability

[Justin Klein Keane <justin () madirish net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Details of this disclosure can also be found at
http://www.madirish.net/?article=473

Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL.  The Drupal Embedded Media Field module
(http://drupal.org/project/emfield) "will create fields for content
types that can be used to display video, image, and audio files from
various third party providers"  Unfortunately the Embedded Media Field
module contains a vulnerability that could allow arbitrary file upload
and potentially code execution.  The proof of concept and patch detailed
below only cover the upload of an image directly to the server, but a
remotely sourced image could also be used to exploit this vulnerability.

Systems affected:
- -----------------
Drupal 6.19 with Embedded Media Field 6.x-1.25 and CCK 6.x-2.8 was
tested and shown to be vulnerable

Impact
- ------
Malicious users can upload arbitrary files with extensions other than
.php, .pl, .py, .cgi, .asp, or .js.  Many web servers support legacy PHP
extensions not included in this list (such as .phtml, or .php3) which
would allow attackers to upload and execute arbitrary PHP code.
Attackers could also upload malicious documents or other material with
virus payload and use these to attack other users or exploit flaws in
file include vulnerabilities.

Mitigating factors:
- -------------------
In order to exploit this vulnerability the attacker must have the
ability to edit or create content of a content type with an embedded
media field and custom thumbnail.

Proof of concept:
- -----------------
1.  Install Drupal 6-19, CCK module, and Embedded Media Field module
version 6.x-1.25
2.  Enable the Content, Embedded Media Field, Embedded Audio Field, and
Embedded Medi Thumbnail modules from ?q=/admin/build/modules
3.  Alter the default 'Story' content type at
?q=admin/content/node-type/story/fields
4.  Add a 'New Field' in the form at the bottom of this page with the
label 'audio' the field name 'field_audio' the type 'Embedded Audio' and
the form element '3rd Party Aduio' then click the 'Save' button
5.  Configure the new video field from
?q=admin/content/node-type/story/fields/field_video
6.  Select all content providers for convenience, ensure the 'Allow
custom thumbnails for this field' checkbox is checked and click 'Save
field settings' button at the bottom of the form
7.  Create a new piece of story content from ?q=node/add/story entering
arbitrary values.
8.  Upload a test file called test.phtml as the custom image thumbnail.
9.  Click the 'Upload' button
10.  Although an error is displayed the file is still uploaded and
available at sites/default/files/test.phtml by default

Vendor Response
- ----------------
http://drupal.org/node/992924


- -- 
Justin Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed using
the public key at http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAk0BFpcACgkQkSlsbLsN1gBoBwb8DN0pbNKLViCFUDL1+IA0JsjA
yhkjNJjAHdlO1nrLAMWg4LOHTZwaovPZxE5TtFHA4aVwvjk7OLR50YgO8+6BwhzY
zNLQbtn+GzhOEV3lddoCII281PgFHQ0gnNJhisZhUj+A2zGdw0lWtdk5xFyH53Db
VfOYrBhKG4bZ61p5En8tTeBvsMBa5rS4djuehhSY5o5WacHrV1CULwxqTRMK3kXJ
QLH0/ZGxoxj6tLRyUODVHHk6YAvE5jU2/B9QJKfDQEjUx7vTpIi5ot11jT+PtR/E
B5UPk27cqiTamGwocWE=
=2EJQ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/