Drupal Embedded Media Field Cross Site Scripting

Type packetstorm
Reporter Justin C. Klein Keane
Modified 2010-12-09T00:00:00


                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
Details of this disclosure are also available at  
Description of Vulnerability:  
- -----------------------------  
Drupal (http://drupal.org) is a robust content management system (CMS)  
written in PHP and MySQL. The Drupal Embedded Media Field module  
(http://drupal.org/project/emfield) "will create fields for content  
types that can be used to display video, image, and audio files from  
various third party providers" Unfortunately the Embedded Media Field  
module contains an arbitrary HTML injection vulnerability (also known as  
cross site scripting, or XSS) due to the fact that it fails to sanitize  
user supplied audio file paths and custom embed code.  
Systems affected:  
- -----------------  
Drupal 6.19 with Embedded Media Field 6.x-1.25 and CCK 6.x-2.8 was  
tested and shown to be vulnerable  
- ------  
Users could inject arbitrary scripts into pages affecting other site  
users. This could result in administrative account compromise leading  
to web server process compromise. A more likely scenario would be for  
an attacker to inject hidden content (such as iframes, applets, or  
embedded objects) that would attack client browsers in an attempt to  
compromise site users' machines. This vulnerability could also be used  
to launch cross site request forgery (XSRF) attacks against the site  
that could have other unexpected consequences.  
Mitigating factors:  
- -------------------  
In order to exploit this vulnerability the attacker must have the  
ability to edit content of a content type with an embedded media field.  
Proof of concept:  
- -----------------  
1. Install Drupal 6-19, CCK module, and Embedded Media Field module  
version 6.x-1.25  
2. Enable the Content, Embedded Media Field, Embedded Audio Field  
modules from ?q=/admin/build/modules  
3. Alter the default 'Story' content type at  
4. Add a 'New Field' in the form at the bottom of this page with the  
label 'audio' the field name 'field_audio' the type 'Embedded Audio' and  
the form element '3rd Party Aduio' then click the 'Save' button  
5. Configure the new video field from  
6. Select all content providers for convenience and click 'Save field  
settings' button at the bottom of the form  
7. Create a new piece of story content from ?q=node/add/story entering  
arbitrary values.  
8. Enter "'/><script>alert('xss');</script><embed  
src='http://traffic.libsyn.com/pauldotcom/PaulDotCom-SW-217pt2.mp3" in  
the 'audio:' text field  
9. Click the 'Save' and observe the rendered JavaScript alert whenever  
the node is displayed  
- ------------------------------------------  
Applying the following patch mitigates this issue in version 6.x-1.25  
- --- emfield/contrib/emaudio/providers/custom_url.inc 2009-06-26  
14:31:00.000000000 -0400  
+++ emfield/contrib/emaudio/providers/custom_url.inc 2010-11-05  
15:17:08.000000000 -0400  
@@ -110,6 +110,7 @@ function emaudio_custom_url_rss($item, $  
function theme_emaudio_custom_url_flash($url = NULL, $width = 0,  
$height = 0, $field = NULL, $data = array(), $node = NULL, $autoplay =  
FALSE) {  
+ $url=str_replace("'", '', $url); //this should be a URL validator  
// Display the audio using Flowplayer if it's available.  
if (module_exists('flowplayer')) {  
$config = array(  
Vendor Response  
- ---------------  
- --   
Justin Klein Keane  
The digital signature on this message can be confirmed using  
the public key at http://www.madirish.net/gpgkey  
Version: GnuPG v1.4.11 (GNU/Linux)  
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/