Drupal FileField 6.x-3.3 XSS Vulnerability
FileField 6.x-3.3 Arbitrary Script Injection Vulnerability
Description of Vulnerability:
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal FileField module (http://drupal.org/project/filefield) "provides a universal file upload field for CCK. It is a robust alternative to core's Upload module and an absolute must for users uploading a large number of files. Great for managing video and audio files for podcasts on your own site." The FileField module contains a cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize image filenames before display.
Systems affected:
Drupal 6.16 with CCK 6.x-2.6 and FileField 6.x-3.3 was tested and shown to be vulnerable.
Impact
Users who have rights to create content may upload files (including images) with malicious names that could result in script execution. This could result in administrative account compromise leading to web server process compromise.
Mitigating factors:
In order to execute the proof of concept described below the attacker must have rights to create content of a type that employs an FileField CCK element. This would include most content that had attachments including imagery, documents, etc.
Additionally, Drupal's file handling must be set to Public in the File system settings at ?q=admin/settings/file-system. This is the default configuration.
Proof of Concept:
- Install Drupal 6.16, CCK 6.x-2.6, and FileField 6.x-3.3
- Create a new content type at ?q=admin/content/types/add using arbitrary values
- Click on the 'Manage fields' link to view ?q=admin/content/node-type/XX/fields where XX is the new content type name from step 2
- Add a new field with arbitrary names, select 'File' from the 'Select a field type' drop down and 'File UPload' from 'Select a widget'
- Click 'Save'
- Enter 'gif' for 'Permitted upload file extensions' and arbitrary values for the other settings
- Click the 'Display fields' tab to view ?q=admin/content/node-type/XX/display where XX is the new content type name from step 2
- Select 'Path to file' from the 'Full node' drop down and click 'Save'
- Create a new .gif image and name it "<iframe src="index.php" onload="alert('xss')">.gif"
- Create new content from ?q=node/add/XX where XX is the new content type name from step 2
- Upload the file from step 9 and fill in arbitrary values for other settings
- Save the node to view the rendered iframe and JavaScript alert
Patch:
Applying the following patch mitigates this issue in version 6.x-3.3
diff -up filefield/filefield_formatter.inc filefield.fixed/filefield_formatter.inc --- filefield/filefield_formatter.inc 2010-04-23 23:54:59.000000000 -0400 +++ filefield.fixed/filefield_formatter.inc 2010-05-18 16:49:35.262236051 -0400 @@ -40,7 +40,7 @@ function theme_filefield_formatter_path_ $item = array_merge($item, field_file_load($item['fid'])); } - return empty($item['filepath']) ? '' : file_create_path($item['filepath']); + return empty($item['filepath']) ? '' : file_create_path(check_plain($item['filepath'])); } /** @@ -63,7 +63,7 @@ function theme_filefield_formatter_url_p $item = array_merge($item, field_file_load($item['fid'])); } - return empty($item['filepath']) ? '' : file_create_url($item['filepath']); + return empty($item['filepath']) ? '' : file_create_url(check_plain($item['filepath'])); } /**
Vendor Response:
Upgrade to the latest version of the FileField module. Vendor response is fully detailed in SA-CONTRIB-2010-066 (http://drupal.org/node/829808)