Drupal FileField Sources XSS Vulnerability

Vulnerability Report

Description of Vulnerability:

The Drupal FileField Sources module (https://drupal.org/project/filefield_sources) "lets you upload files from your computer through a CCK field. The FileField Sources module expands on this ability by allowing you to select new or existing files through additional means." The FileField Sources module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize user supplied filenames before display.

Systems affected:

Drupal 6.24 with FileField Sources 6.x-1.4 was tested and shown to be vulnerable

Impact

Users creating new content could be subject to account compromise, client side attack, or other vulnerabilities due to arbitrary script execution. (Ref: http://www.madirish.net/548)

Mitigating factors:

In order to execute arbitrary script injection malicious users must have the ability to upload files.

Proof of Concept:

1. Install and enable the CCK, FileField, and FileField Sources modules
2. Add a new file field for the Story content type at ?q=admin/content/node-type/story/fields
3. Add 'jpg' as an allowed extension and check 'Autocomplete reference textfield' in the 'File sources' fieldgroup
4. Select 'Contains string' from the 'Autocomplete reference options' fieldgroup
5. Rename a JPEG on your system to <iframe src='index.php' onLoad='javascript:alert("xss");'>.jpg
6. Create a new Story at ?q=node/add/story uploading the image in the Filefield from step 2
7. Create another story at ?q=node/add/story
8. Click 'Reference existing' in the file field and type 'if' in the text box to view the rendered iframe and JavaScript alert box.

Patch:

The following patches mitigates these vulnerabilities:

--- filefield_sources/sources/reference.inc	2011-04-25 18:10:22.000000000 -0400
+++ filefield_sources/sources/reference.inc	2012-02-17 10:01:39.542168236 -0500
@@ -178,7 +178,7 @@ function filefield_source_reference_auto
 function theme_filefield_source_reference_autocomplete_item($file) {
   $output = '';
   $output .= '<div class="filefield-source-reference-item">';
-  $output .= '<span class="filename">' . $file->filename . '</span> <span class="filesize">(' . format_size($file->filesize) . ')</span>';
+  $output .= '<span class="filename">' . filter_xss($file->filename) . '</span> <span class="filesize">(' . format_size($file->filesize) . ')</span>';
   $output .= '</div>';
   return $output;
 }

Vendor Response

On 19 September, 2012, after the publication of this report, the vendor released SA-CONTRIB-2012-147 which recommends upgrading to FileField Sources 6.x-1.6 or later or 7.x-1.6 or later, depending on your version of Drupal.