Drupal FileField Sources XSS Vulnerability

30 May 2012

Vulnerability Report

Author: Justin C. Klein Keane <justin@madirish.net>
Reported: February 17, 2012
CVE: Requested
OSVDB: 85708

Description of Vulnerability:

The Drupal FileField Sources module (https://drupal.org/project/filefield_sources) "lets you upload files from your computer through a CCK field. The FileField Sources module expands on this ability by allowing you to select new or existing files through additional means." The FileField Sources module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize user supplied filenames before display.

Systems affected:

Drupal 6.24 with FileField Sources 6.x-1.4 was tested and shown to be vulnerable


Users creating new content could be subject to account compromise, client side attack, or other vulnerabilities due to arbitrary script execution. (Ref: http://www.madirish.net/548)

Mitigating factors:

In order to execute arbitrary script injection malicious users must have the ability to upload files.

Proof of Concept:

  1. Install and enable the CCK, FileField, and FileField Sources modules
  2. Add a new file field for the Story content type at ?q=admin/content/node-type/story/fields
  3. Add 'jpg' as an allowed extension and check 'Autocomplete reference textfield' in the 'File sources' fieldgroup
  4. Select 'Contains string' from the 'Autocomplete reference options' fieldgroup
  5. Rename a JPEG on your system to <iframe src='index.php' onLoad='javascript:alert("xss");'>.jpg
  6. Create a new Story at ?q=node/add/story uploading the image in the Filefield from step 2
  7. Create another story at ?q=node/add/story
  8. Click 'Reference existing' in the file field and type 'if' in the text box to view the rendered iframe and JavaScript alert box.


The following patches mitigates these vulnerabilities:

--- filefield_sources/sources/reference.inc	2011-04-25 18:10:22.000000000 -0400
+++ filefield_sources/sources/reference.inc	2012-02-17 10:01:39.542168236 -0500
@@ -178,7 +178,7 @@ function filefield_source_reference_auto
 function theme_filefield_source_reference_autocomplete_item($file) {
   $output = '';
   $output .= '<div class="filefield-source-reference-item">';
-  $output .= '<span class="filename">' . $file->filename . '</span> <span class="filesize">(' . format_size($file->filesize) . ')</span>';
+  $output .= '<span class="filename">' . filter_xss($file->filename) . '</span> <span class="filesize">(' . format_size($file->filesize) . ')</span>';
   $output .= '</div>';
   return $output;

Vendor Response

On 19 September, 2012, after the publication of this report, the vendor released SA-CONTRIB-2012-147 which recommends upgrading to FileField Sources 6.x-1.6 or later or 7.x-1.6 or later, depending on your version of Drupal.