Drupal ImageField 5.x-2.2 Multiple Vulnerabilities

30 November -0001

Security Risk: High

Exploitable: Remotely

Vulnerabilities: Arbitrary File Upload, Cross Site Scripting

Discovered by: Justin C. Klein Keane, Andrew Rosborough

Tested: Imagefield 5.x-2.2 on Drupal 5.15

Description

Drupal (http://drupal.org) is a robust content management system (CMS) that provides extensibility through hundreds of third party modules. While the security of Drupal core modules is vetted by a central security team (http://drupal.org/security), third party modules are not reviewed for security.

The Imagefield module (http://drupal.org/project/imagefield) is a module that extends the Drupal CCK (Content Creation Kit) module (http://www.drupal.org/project/cck) by allowing users to add image fields to custom content types.

Arbitrary File Upload Vulnerability

Two flaws exist in this module. The first flaw allows for an attacker to upload arbitrary files to the filesystem. The vulnerability allows attackers to upload arbitrary files in place of the 'Default image' specified in the Imagefield specifications for a content type field. Files are uploaded to Drupal's /files/imagefield_default_files/ directory on a default installation (with files specified as the default upload directory through Drupal's administrative configuration - this may vary).

Mitigating Factors

Attackers must be authenticated with an account that has 'administer content types' permissions. Additionally, Drupal protects the files directory, and subdirectories with an .htaccess file located in the files directory that specifies:

SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options +FollowSymLinks

This will prevent the direct execution of PHP files. Additionally Drupal's file_check_upload() function munges the file extensions that match PHP, PL, PY, CGI, ASP, and JS with the following code:

// Rename potentially executable files, to help prevent exploits.
if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) &&
 (substr($file->filename, -4) != '.txt')) {
      $file->filemime = 'text/plain';
      $file->filepath .= '.txt';
      $file->filename .= '.txt';
  }

Exploiting the File Upload Vulnerability

To exploit the vulnerability:

  1. Log in as a user with 'Administer content types' privilege
  2. Click Administer -> Content Types
  3. Click 'Add content type'
  4. Fill in required text in the Identification, Submission and other fieldsets
  5. Click 'Save content type' button
  6. Click 'edit' under the Operations column on the 'Administer' -> 'Content management' screen for the new content type
  7. Click 'Add field'
  8. Fill in the 'Name' text box in the 'Create new field' fieldset and select the 'Image' radio button
  9. Click the 'Create field' button
  10. In the next screen (assuming the new field was named 'test' and the new type was named 'test' this will be in Home > Administer > Content management > Content types > test) scroll down to the 'Data settings' fieldset
  11. Click the 'Browse' button in the 'Default image' fieldset and select a file from your filesystem.
  12. Click 'Save field settings' button
  13. Log into your server and do a directory listing of the upload directory to verify the new file has been uploaded.

# cd /var/www/html/drupal-5.15/files/imagefield_default_images/
# ls
- -rw-rw-r-- 1 apache apache    18 2009-01-22 10:22 field_test_0.exe

Finally, browse to the file: drupal/files/imagefield_default_images/field_test_0.exe

Cross Site Scripting (XSS) Vulnerability

The Imagefield module also contains a XSS vulnerability in the 'Help' field. Any user with rights to administer content types can edit a content type that contains an image field or create a content type that contains an image field. In the 'Widget settings' fieldset presented during configuration of the specific image field a textarea labeled 'Help text:' is presented. Arbitrary script can be entered into this text area and it is not escaped. This vulnerability is especially dangerous because the script executes whenever a user creates new content of the type with the XSS infected help text. This potentially exposes site administrators to the XSS attack.