Drupal Imagefield Upload / Cross Site Scripting

Type packetstorm
Reporter Andrew Rosborough
Modified 2009-01-29T00:00:00


                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
Drupal Imagefield Module Multiple Vulnerabilities  
Security Risk: High  
Exploitable: Remotely  
Vulnerabilities: Arbitrary File Upload, Cross Site Scripting  
Discovered by: Justin C. Klein Keane, Andrew Rosborough  
Tested: Imagefield 5.x-2.2 on Drupal 5.15  
Drupal (http://drupal.org) is a robust content management system (CMS)  
that provides extensibility through hundreds of third party modules.  
While the security of Drupal core modules is vetted by a central  
security team(http://drupal.org/security), third party modules are not  
reviewed for security.  
The Imagefield module (http://drupal.org/project/imagefield) is a module  
that extends the Drupal CCK (Content Creation Kit) module  
(http://www.drupal.org/project/cck) by allowing users to add image  
fields to custom content types.  
Arbitrary File Upload Vulnerability  
Two flaws exist in this module. The first flaw allows for an attacker  
to upload arbitrary files to the filesystem. The vulnerability allows  
attackers to upload arbitrary files in place of the 'Default image'  
specified in the Imagefield specifications for a content type field.  
Files are uploaded to Drupal's /files/imagefield_default_files/  
directory on a default installation (with files specified as the default  
upload directory through Drupal's administrative configuration - this  
may vary).  
Mitigating Factors  
Attackers must be authenticated with an account that has 'administer  
content types' permissions. Additionally, Drupal protects the files  
directory, and subdirectories with an .htaccess file located in the  
files directory that specifies:  
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006  
Options None  
Options +FollowSymLinks  
This will prevent the direct execution of PHP files. Additionally  
Drupal's file_check_upload() function munges the file extensions that  
match PHP, PL, PY, CGI, ASP, and JS with the following code:  
// Rename potentially executable files, to help prevent exploits.  
if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) &&  
(substr($file->filename, -4) != '.txt')) {  
$file->filemime = 'text/plain';  
$file->filepath .= '.txt';  
$file->filename .= '.txt';  
Exploiting the File Upload Vulnerability  
To exploit the vulnerability:  
1. Log in as a user with 'Administer content types' privilege  
2. Click Administer -> Content Types  
3. Click 'Add content type'  
4. Fill in required text in the Identification, Submission and other  
5. Click 'Save content type' button  
6. Click 'edit' under the Operations column on the 'Administer' ->  
'Content management' screen for the new content type  
7. Click 'Add field'  
8. Fill in the 'Name' text box in the 'Create new field' fieldset and  
select the 'Image' radio button  
9. Click the 'Create field' button  
10. In the next screen (assuming the new field was named 'test' and the  
new type was named 'test' this will be in Home > Administer > Content  
management > Content types > test) scroll down to the 'Data settings'  
11. Click the 'Browse' button in the 'Default image' fieldset and  
select a file from your filesystem.  
12. Click 'Save field settings' button  
13. Log into your server and do a directory listing of the upload  
directory to verify the new file has been uploaded.  
# cd /var/www/html/drupal-5.15/files/imagefield_default_images/  
# ls  
- - -rw-rw-r-- 1 apache apache 18 2009-01-22 10:22 field_test_0.exe  
14. Browse to the file (assuming Drupal is running at the doc root):  
Cross Site Scripting (XSS) Vulnerability  
The Imagefield module also contains a XSS vulnerability in the 'Help'  
field. Any user with rights to administer content types can edit a  
content type that contains an image field or create a content type that  
contains an image field. In the 'Widget settings' fieldset presented  
during configuration of the specific image field a textarea labeled  
'Help text:' is presented. Arbitrary script can be entered into this  
text area and it is not escaped. This vulnerability is especially  
dangerous because the script executes whenever a user creates new  
content of the type with the XSS infected help text. This potentially  
exposes site administrators to the XSS attack.  
- --  
Justin C. Klein Keane  
Version: GnuPG v1.4.7 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org