-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Details of this disclosure can also be found at http://www.madirish.net/?article=473 Description of Vulnerability: - ----------------------------- Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Embedded Media Field module (http://drupal.org/project/emfield) "will create fields for content types that can be used to display video, image, and audio files from various third party providers" Unfortunately the Embedded Media Field module contains a vulnerability that could allow arbitrary file upload and potentially code execution. The proof of concept and patch detailed below only cover the upload of an image directly to the server, but a remotely sourced image could also be used to exploit this vulnerability. Systems affected: - ----------------- Drupal 6.19 with Embedded Media Field 6.x-1.25 and CCK 6.x-2.8 was tested and shown to be vulnerable Impact - ------ Malicious users can upload arbitrary files with extensions other than .php, .pl, .py, .cgi, .asp, or .js. Many web servers support legacy PHP extensions not included in this list (such as .phtml, or .php3) which would allow attackers to upload and execute arbitrary PHP code. Attackers could also upload malicious documents or other material with virus payload and use these to attack other users or exploit flaws in file include vulnerabilities. Mitigating factors: - ------------------- In order to exploit this vulnerability the attacker must have the ability to edit or create content of a content type with an embedded media field and custom thumbnail. Proof of concept: - ----------------- 1. Install Drupal 6-19, CCK module, and Embedded Media Field module version 6.x-1.25 2. Enable the Content, Embedded Media Field, Embedded Audio Field, and Embedded Medi Thumbnail modules from ?q=/admin/build/modules 3. Alter the default 'Story' content type at ?q=admin/content/node-type/story/fields 4. Add a 'New Field' in the form at the bottom of this page with the label 'audio' the field name 'field_audio' the type 'Embedded Audio' and the form element '3rd Party Aduio' then click the 'Save' button 5. Configure the new video field from ?q=admin/content/node-type/story/fields/field_video 6. Select all content providers for convenience, ensure the 'Allow custom thumbnails for this field' checkbox is checked and click 'Save field settings' button at the bottom of the form 7. Create a new piece of story content from ?q=node/add/story entering arbitrary values. 8. Upload a test file called test.phtml as the custom image thumbnail. 9. Click the 'Upload' button 10. Although an error is displayed the file is still uploaded and available at sites/default/files/test.phtml by default Vendor Response - ---------------- http://drupal.org/node/992924 - -- Justin Klein Keane http://www.MadIrish.net The digital signature on this message can be confirmed using the public key at http://www.madirish.net/gpgkey -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAk0BFpcACgkQkSlsbLsN1gBoBwb8DN0pbNKLViCFUDL1+IA0JsjA yhkjNJjAHdlO1nrLAMWg4LOHTZwaovPZxE5TtFHA4aVwvjk7OLR50YgO8+6BwhzY zNLQbtn+GzhOEV3lddoCII281PgFHQ0gnNJhisZhUj+A2zGdw0lWtdk5xFyH53Db VfOYrBhKG4bZ61p5En8tTeBvsMBa5rS4djuehhSY5o5WacHrV1CULwxqTRMK3kXJ QLH0/ZGxoxj6tLRyUODVHHk6YAvE5jU2/B9QJKfDQEjUx7vTpIi5ot11jT+PtR/E B5UPk27cqiTamGwocWE= =2EJQ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/