[Security-news] SA-CONTRIB-2010-094 - Embedded Media Field - Access bypass
security-news at drupal.org
security-news at drupal.org
Wed Sep 22 18:32:39 UTC 2010
* Advisory ID: DRUPAL-SA-CONTRIB-2010-094
* Project: Embedded Media Field (third-party module)
* Version: 5.x, 6.x
* Date: 2010-September-22
* Security risk: Moderately Critical
* Exploitable from: Remote
* Vulnerability: Access Bypass
-------- DESCRIPTION
---------------------------------------------------------
The Embedded Media Field project is a set of modules that enable editors to
post URL's and embed codes for third party media providers such as YouTube,
Vimeo, or Flickr, which will be automatically parsed and displayed using
preset formatters.
The Embedded Video Field module (packaged with the project) enables videos to
be displayed in a modal popup using the Lightbox2 [1], Shadowbox [2],
Colorbox [3], and Thickbox [4] modules. In some cases checks on the user's
field level access to the source video were not carried out correctly,
allowing direct queries to the backend URL resulting in the display of videos
which the user would otherwise be unable to access.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Embedded Media Field module for Drupal 6.x versions prior to 6.x-1.24 and
6.x-2.0
* Embedded Media Field module for Drupal 5.x versions prior to 5.x-1.10
Drupal core is not affected. If you do not use the contributed Embedded Media
Field [5] module, together with the Embedded Video Field module there is
nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Embedded Media Field module for Drupal 6.x upgrade to
Embedded Media Field 6.x-2.1 [6] or Embedded Media Field 6.x-1.25 [7]
* If you use the Embedded Media Field module for Drupal 5.x upgrade to
Embedded Media Field 5.x-1.11 [8]
See also the Embedded Media Field project page [9].
.... Important note
Users wishing to update from version DRUPAL 6.x-1.x to version DRUPAL 6.x-2.x
(or greater) of Embedded Media Field should be aware that as of version
DRUPAL 6.x-2.x the module no longer provides direct support for third party
media providers, instead it acts as an API for other modules to use. All
providers previously supported directly in earlier versions are now supported
externally; see the partial list at the project page for a list of modules
offering this support (such as Media: YouTube [10], Media: Vimeo [11], and
Media: Flickr [12]). Please note that at this time there are not yet specific
modules for all the individual providers; if you don't see your desired
provider in that list, it most likely will be in one of the 'Flotsam' modules
listed at the end of that list, which serve as a temporary placeholder.
Developers interested in creating or maintaining one of these individual
provider modules are encouraged to contact the module maintainers.
-------- REPORTED BY
---------------------------------------------------------
* Stella Power (stella) [13], of the Drupal security team
-------- FIXED BY
------------------------------------------------------------
* Stella Power (stella) [14], of the Drupal security team
* Aaron Winborn (aaron) [15], module co-maintainer
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [16] can be reached at security at drupal.org or via
the form at http://drupal.org/contact [17].
[1] http://drupal.org/project/lightbox2
[2] http://drupal.org/project/shadowbox
[3] http://drupal.org/project/colorbox
[4] http://drupal.org/project/thickbox
[5] http://drupal.org/project/emfield
[6] http://drupal.org/node/919368
[7] http://drupal.org/node/919366
[8] http://drupal.org/node/919364
[9] http://drupal.org/project/emfield
[10] http://drupal.org/project/media_youtube
[11] http://drupal.org/project/media_vimeo
[12] http://drupal.org/project/media_flickr
[13] http://drupal.org/user/66894
[14] http://drupal.org/user/66894
[15] http://drupal.org/user/33420
[16] http://drupal.org/security-team
[17] http://drupal.org/contact
More information about the Security-news
mailing list