[Security-news] SA-CONTRIB-2010-109 - Embedded Media Field, Media: Video Flotsam, Media: Audio Flotsam - Multiple Vulnerabilities
security-news at drupal.org
security-news at drupal.org
Wed Dec 8 22:18:13 UTC 2010
* Advisory ID: DRUPAL-SA-CONTRIB-2010-109
* Projects: Embedded Media Field, Media: Video Flotsam, Media: Audio Flotsam
(third-party module)
* Version: 5.x and 6.x
* Date: 2010-December-08
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
.... 1 - Arbitrary File Upload/Code Execution Vulnerability
The Embedded Thumbnail module (packaged with the project) allows users who
upload videos to upload their own thumbnails to replace The Drupal Embedded
Media Field module. Unfortunately, the Embedded Thumbnail Module contains a
vulnerability that could allow arbitrary file upload, as well as potentially
remote and potentially code execution. Malicious users can upload arbitrary
files with extensions other than .php, .pl, .py, .cgi, .asp, or .js. Many web
servers support legacy PHP extensions not included in this list (such as
.phtml, or .php3) which would allow attackers to upload and execute arbitrary
PHP code. Attackers could also upload malicious documents or other material
with virus payload and use these to attack other users or exploit flaws in
file include vulnerabilities. This exploit is mitigated by the fact that the
site must have a content type with an embedded media field that allows users
to upload custom thumbnails, and the user must have access to create or edit
the content type.
.... 2 - Embed XSS Vulnerability
The 5.x-1.x and 6.x-1.x versions of the Embedded Media Field module comes
packaged with "custom provider files" that allow users to add audio and video
files to their site by posting a link to the direct url of an audio or video
the field emfield provides. Unfortunately the Embedded Media Field module
contains an arbitrary HTML injection vulnerability (also known as cross site
scripting, or XSS) due to the fact that it fails to sanitize user supplied
audio file paths and embed codes before display. *Please note*, recently
these 6.x-2.x branch of the Embedded Media Field module, the custom audio and
video provider files were moved to separate modules: Media: Video Flotsam
6.x-1.2 [1] and Media: Audio Flotsam [2]. This exploit is mitigated by the
fact that the site must have a content type with an embedded media field that
has the custom audio or video provider file enabled, and the user must have
access to create or edit the content type.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Embedded Media Field module for Drupal 6.x versions prior to 6.x-1.26 and
6.x-2.4, and for Drupal 5.x versions prior to 5.x-1.12.
* Media: Video Flotsam module for Drupal 6.x versions prior to 6.x-1.2.
* Media: Audio Flotsam module for Drupal 6.x versions prior to 6.x-1.1.
Drupal core is not affected. If you do not use the contributed Embedded Media
Field [3] module, together with the Embedded Thumbnail Field module or the
custom audio and video provider files included in emfield as well as in
Media: Audio Flotsam [4] and/or Media: Video Flotsam [5], there is nothing
you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Embedded Media Field module for Drupal 6.x upgrade to
either Embedded Media Field 6.x-2.4 [6] or Embedded Media Field 6.x-1.26
[7].
* If you use the Embedded Media Field module for Drupal 5.x upgrade to
Embedded Media Field 5.x-1.12 [8].
* If you use the Media: Video Flotsam module upgrade to Media: Video Flotsam
6.x-1.2 [9]
* If you use the Media: Audio Flotsam module upgrade to Media: Audio Flotsam
6.x-1.1 [10]
-------- REPORTED BY
---------------------------------------------------------
* Stella Power (stella) [11], of the Drupal security team
-------- FIXED BY
------------------------------------------------------------
* Stella Power (stella) [12]
* Matthew Klein (kleinmp) [13], module co-maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [14] can be reached at security at drupal.org or via
the form at http://drupal.org/contact [15].
[1] http://drupal.org/project/media_video_flotsam
[2] http://drupal.org/project/media_audio_flotsam
[3] http://drupal.org/project/emfield
[4] http://drupal.org/project/media_audio_flotsam
[5] http://drupal.org/project/media_video_flotsam
[6] http://drupal.org/node/992912
[7] http://drupal.org/node/992910
[8] http://drupal.org/node/992906
[9] http://drupal.org/node/992918
[10] http://drupal.org/node/992916
[11] http://drupal.org/user/66894
[12] http://drupal.org/user/66894
[13] http://drupal.org/user/390447
[14] http://drupal.org/security-team
[15] http://drupal.org/contact
More information about the Security-news
mailing list