[Full-disclosure] Drupal Imagefield Module Multiple Vulnerabilities

From: Justin C. Klein Keane <justin_at_nospam>
Date: Thu Jan 29 2009 - 14:15:46 GMT
To: full-disclosure@lists.grok.org.uk

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

Drupal Imagefield Module Multiple Vulnerabilities

Security Risk: High
Exploitable: Remotely
Vulnerabilities: Arbitrary File Upload, Cross Site Scripting Discovered by: Justin C. Klein Keane, Andrew Rosborough Tested: Imagefield 5.x-2.2 on Drupal 5.15

Description

Drupal (http://drupal.org) is a robust content management system (CMS) that provides extensibility through hundreds of third party modules. While the security of Drupal core modules is vetted by a central security team(http://drupal.org/security), third party modules are not reviewed for security.

The Imagefield module (http://drupal.org/project/imagefield) is a module that extends the Drupal CCK (Content Creation Kit) module (http://www.drupal.org/project/cck) by allowing users to add image fields to custom content types.

Arbitrary File Upload Vulnerability

Two flaws exist in this module. The first flaw allows for an attacker to upload arbitrary files to the filesystem. The vulnerability allows attackers to upload arbitrary files in place of the 'Default image' specified in the Imagefield specifications for a content type field. Files are uploaded to Drupal's /files/imagefield_default_files/ directory on a default installation (with files specified as the default upload directory through Drupal's administrative configuration - this may vary).

Mitigating Factors

Attackers must be authenticated with an account that has 'administer content types' permissions. Additionally, Drupal protects the files directory, and subdirectories with an .htaccess file located in the files directory that specifies:

SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 Options None
Options +FollowSymLinks

This will prevent the direct execution of PHP files. Additionally Drupal's file_check_upload() function munges the file extensions that match PHP, PL, PY, CGI, ASP, and JS with the following code:

// Rename potentially executable files, to help prevent exploits. if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) { $file->filemime = 'text/plain'; $file->filepath .= '.txt'; $file->filename .= '.txt';
}

Exploiting the File Upload Vulnerability

To exploit the vulnerability:

Log in as a user with 'Administer content types' privilege
Click Administer -> Content Types
Click 'Add content type'
Fill in required text in the Identification, Submission and other fieldsets
Click 'Save content type' button
Click 'edit' under the Operations column on the 'Administer' -> 'Content management' screen for the new content type
Click 'Add field'
Fill in the 'Name' text box in the 'Create new field' fieldset and select the 'Image' radio button
Click the 'Create field' button
In the next screen (assuming the new field was named 'test' and the new type was named 'test' this will be in Home > Administer > Content management > Content types > test) scroll down to the 'Data settings' fieldset
Click the 'Browse' button in the 'Default image' fieldset and select a file from your filesystem.
Click 'Save field settings' button
Log into your server and do a directory listing of the upload directory to verify the new file has been uploaded.

# cd /var/www/html/drupal-5.15/files/imagefield_default_images/ # ls
- - -rw-rw-r-- 1 apache apache 18 2009-01-22 10:22 field_test_0.exe

Browse to the file (assuming Drupal is running at the doc root): http://192.168.0.50/files/imagefield_default_images/field_test_0.exe

Cross Site Scripting (XSS) Vulnerability

The Imagefield module also contains a XSS vulnerability in the 'Help' field. Any user with rights to administer content types can edit a content type that contains an image field or create a content type that contains an image field. In the 'Widget settings' fieldset presented during configuration of the specific image field a textarea labeled 'Help text:' is presented. Arbitrary script can be entered into this text area and it is not escaped. This vulnerability is especially dangerous because the script executes whenever a user creates new content of the type with the XSS infected help text. This potentially exposes site administrators to the XSS attack.

-- Justin C. Klein Keane http://www.MadIrish.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBSYG6EZEpbGy7DdYAAQJChgb+LUEHPrQ1GboCjvl7aKeUx7KRtu56IBnj txM6pKTjBNI42iaTIKnMK+acBtcoN5TJhtyMsrOfjaLEFsjT08Sc0WQKk8H8LAMw rb9qWO1L01MqnbyByUZSDltyV9BI4z5dI8ekjowsL6KcrZfGPCumBt8m+FuzxPLX vXQ+huGZQihq3lmmbdd0gc83f6hvIG6MADha6yutv1tY0H0Y1B06ZAkizh+LUvhu mY3u6LrIWZqnZr/NRAcsX09q+4AHp+3w8va/8kx7EixzkiWK8NwXGLL+MWatT5sq zv/ZgrnspW4=
=zBEx
-----END PGP SIGNATURE-----

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

This message: [ Message body ]
Next message: Valdis.Kletnieks_at_nospam: "Re: [Full-disclosure] Drupal Imagefield Module Multiple Vulnerabilities"
Previous message: Kevin Price: "Re: [Full-disclosure] [SECURITY] [DSA 1714-1] New rt2570 packages fix arbitrary code execution"
Next in thread: Valdis.Kletnieks_at_nospam: "Re: [Full-disclosure] Drupal Imagefield Module Multiple Vulnerabilities"
Reply: Valdis.Kletnieks_at_nospam: "Re: [Full-disclosure] Drupal Imagefield Module Multiple Vulnerabilities"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]