Drupal Embedded Media Field Module Arbitrary File Upload and Code Exec Vulnerability
Description of Vulnerability:
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Embedded Media Field module (http://drupal.org/project/emfield) "will create fields for content types that can be used to display video, image, and audio files from various third party providers" Unfortunately the Embedded Media Field module contains a vulnerability that could allow arbitrary file upload and potentially code execution. The proof of concept and patch detailed below only cover the upload of an image directly to the server, but a remotely sourced image could also be used to exploit this vulnerability.
Drupal 6.19 with Embedded Media Field 6.x-1.25 and CCK 6.x-2.8 was tested and shown to be vulnerable
Malicious users can upload arbitrary files with extensions other than .php, .pl, .py, .cgi, .asp, or .js. Many web servers support legacy PHP extensions not included in this list (such as .phtml, or .php3) which would allow attackers to upload and execute arbitrary PHP code. Attackers could also upload malicious documents or other material with virus payload and use these to attack other users or exploit flaws in file include vulnerabilities.
In order to exploit this vulnerability the attacker must have the ability to edit or create content of a content type with an embedded media field and custom thumbnail.
Proof of concept:
- Install Drupal 6-19, CCK module, and Embedded Media Field module version 6.x-1.25
- Enable the Content, Embedded Media Field, Embedded Audio Field, and Embedded Medi Thumbnail modules from ?q=/admin/build/modules
- Alter the default 'Story' content type at ?q=admin/content/node-type/story/fields
- Add a 'New Field' in the form at the bottom of this page with the label 'audio' the field name 'field_audio' the type 'Embedded Audio' and the form element '3rd Party Aduio' then click the 'Save' button
- Configure the new video field from ?q=admin/content/node-type/story/fields/field_video
- Select all content providers for convenience, ensure the 'Allow custom thumbnails for this field' checkbox is checked and click 'Save field settings' button at the bottom of the form
- Create a new piece of story content from ?q=node/add/story entering arbitrary values.
- Upload a test file called test.phtml as the custom image thumbnail.
- Click the 'Upload' button
- Although an error is displayed the file is still uploaded and available at sites/default/files/test.phtml by default