Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21910
HistoryMay 29, 2009 - 12:00 a.m.

[Full-disclosure] Drupal Embedded Media Field Module Multiple XSS

2009-05-2900:00:00
vulners.com
20
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Details of this disclosure are posted at
http://lampsecurity.org/drupal-6-embed-media-xss-vulnerability

Vendor notified: 5/27/09
Vendor response: (see below)

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules. The Embedded Media Field
(http://drupal.org/project/emfield) module is a Content Construction Kit
(CCK) module that allows for the creation of node content types that can
be used for displaying video, image or audio files from a third party.
The Embedded Media Field module contains several cross site scripting
(XSS) vulnerabilities:

The Embedded Media Field module contains a XSS vulnerability because it
does not properly sanitize the output of 'Help text', 'Custom thumbnail
label', of 'Custom thumbnail description' specified when creating an
Embedded Media Field content type field.

Systems affected:

Drupal 6.12 with CCK 6.x-2.2 and Embedded Media Field 6.x-1.0 was tested
and shown to be vulnerable.

Impact:

XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.

Mitigating factors:

The Embedded Media Field module must be installed. Only users who have
rights to create content or administer content types are exposed to the
XSS, although these accounts are generally privileged, representing a
greater risk. 'Administer content types' privilege is required to carry
out the proof of concept below, although other vectors may exist.

Vendor Response:

Vendor has filed a bug report with module maintainer at
http://drupal.org/node/474790.

Proof of concept:

  1. Install Drupal 6.12 and CCK.
  2. Install Embedded Media Field and enable all Print functionality
    through Administer-> Modules.
  3. Adjust fields in the 'Story' content type by clicking on Administer
  • -> Content management -> Content types, then clicking 'manage fields'
    next to 'Story'
  1. In the 'Add' field type in an arbitrary field label and field name in
    the 'New field' area
  2. Select 'Embedded Video' from the 'Type of data to store' drop down
  3. Click the 'Save' button
  4. On the resultant screen fill in "<script>alert('custom thumbnail
    label xss');</script>" in the "Custom thumbnail label:" text field
  5. Fill in "<script>alert('custom thumbnail description xss');</script>"
    in the "Custom thumbnail description:" text field
  6. Fill in "
  7. Click the 'Save field settings' button
  8. Create new content of the type by clicking the 'Create content' link
    then the 'Story' link
  9. Observe multiple JavaScript alerts

Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBSh6YjZEpbGy7DdYAAQJNsgb/T3zxhzwE5Y3wiG5bZ/64i7S9fn/TpV2V
fukx2r3ttPex3fLl+SYNFfU8wVV78l33q3TZKn9iudp1dw4ENav94WcOff9zrwKQ
mJS6BVUUco+dVIO+AaX6YCe7a0DX2vcXT7tJY+/AlcL3DtVywJUXAvwdMRrtbCXC
uAiLHaIrRc+J3BxxwMkMIPMn4Do1NJGJHpSCQUpmhj4nMZBA9LWqJLDUdo1sqp6V
eEBIWxd31pO8Nm6UODAunBmGtfGziijv3BoZ0xxtTx2k4n1tO3Ierg/EjnHkNmdK
Zmb7PEickN0=
=pMOG
-----END PGP SIGNATURE-----

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON