Drupal Embedded Media Field Module Arbitrary File Upload and Code Exec Vulnerability

30 November -0001

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Embedded Media Field module (http://drupal.org/project/emfield) "will create fields for content types that can be used to display video, image, and audio files from various third party providers" Unfortunately the Embedded Media Field module contains a vulnerability that could allow arbitrary file upload and potentially code execution. The proof of concept and patch detailed below only cover the upload of an image directly to the server, but a remotely sourced image could also be used to exploit this vulnerability.

Systems affected:

Drupal 6.19 with Embedded Media Field 6.x-1.25 and CCK 6.x-2.8 was tested and shown to be vulnerable

Impact

Malicious users can upload arbitrary files with extensions other than .php, .pl, .py, .cgi, .asp, or .js. Many web servers support legacy PHP extensions not included in this list (such as .phtml, or .php3) which would allow attackers to upload and execute arbitrary PHP code. Attackers could also upload malicious documents or other material with virus payload and use these to attack other users or exploit flaws in file include vulnerabilities.

Mitigating factors:

In order to exploit this vulnerability the attacker must have the ability to edit or create content of a content type with an embedded media field and custom thumbnail.

Proof of concept:

  1. Install Drupal 6-19, CCK module, and Embedded Media Field module version 6.x-1.25
  2. Enable the Content, Embedded Media Field, Embedded Audio Field, and Embedded Medi Thumbnail modules from ?q=/admin/build/modules
  3. Alter the default 'Story' content type at ?q=admin/content/node-type/story/fields
  4. Add a 'New Field' in the form at the bottom of this page with the label 'audio' the field name 'field_audio' the type 'Embedded Audio' and the form element '3rd Party Aduio' then click the 'Save' button
  5. Configure the new video field from ?q=admin/content/node-type/story/fields/field_video
  6. Select all content providers for convenience, ensure the 'Allow custom thumbnails for this
  7. field' checkbox is checked and click 'Save field settings' button at the bottom of the form
  8. Create a new piece of story content from ?q=node/add/story entering arbitrary values.
  9. Upload a test file called test.phtml as the custom image thumbnail.
  10. Click the 'Upload' button
  11. Although an error is displayed the file is still uploaded and available at sites/default/files/test.phtml by default