Drupal Embedded Media 6.x-1.0 Multiple XSS
Description of Vulnerability:
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Embedded Media Field (http://drupal.org/project/emfield) module is a Content Construction Kit (CCK) module that allows for the creation of node content types that can be used for displaying video, image or audio files from a third party. The Embedded Media Field module contains several cross site scripting (XSS) vulnerabilities:
The Embedded Media Field module contains a XSS vulnerability because it does not properly sanitize the output of 'Help text', 'Custom thumbnail label', of 'Custom thumbnail description' specified when creating an Embedded Media Field content type field.
Drupal 6.12 with CCK 6.x-2.2 and Embedded Media Field 6.x-1.0 was tested and shown to be vulnerable.
XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise.
The Embedded Media Field module must be installed. Only users who have rights to create content or administer content types are exposed to this attack vector, although these accounts are generally privileged, representing a greater risk. 'Administer content types' privilege is required to carry out the proof of concept below, although other vectors may exist.
Vendor has filed a bug report with module maintainer at http://drupal.org/node/474790.
Proof of concept:
- Install Drupal 6.12 and CCK.
- Install Embedded Media Field and enable all Print functionality through Administer-> Modules.
- Adjust fields in the 'Story' content type by clicking on Administer -> Content management -> Content types, then clicking 'manage fields' next to 'Story'
- In the 'Add' field type in an arbitrary field label and field name in the 'New field' area
- Select 'Embedded Video' from the 'Type of data to store' drop down
- Click the 'Save' button
- On the resultant screen fill in "<script>alert('custom thumbnail label xss');</script>" in the "Custom thumbnail label:" text field
- Fill in "<script>alert('custom thumbnail description xss');</script>" in the "Custom thumbnail description:" text field
- Fill in "