emfield 5.x-1.12

Downloads

Download emfield-5.x-1.12.tar.gztar.gz 86.03 KB

MD5: 798dac66c15ade0756b98ca264822ea7

SHA-1: 686248e760e64502fa8bd4987d11c9460b2b9eb9

SHA-256: 8eb2ae0d00b34d1fc140fd31b7355d7050d17b45db6e210388dd92975dbcb464

Download emfield-5.x-1.12.zipzip 136.51 KB

MD5: 8adc35b490908d4c6383ee08308e7b6a

SHA-1: f40c69a4a1113ed1dbbb9b571981b09f23afd5ee

SHA-256: 7721459fa2b9e88e9ed85310697ec3a25a31d3c65ef4b33e6b8378e612ceac26

Release notes

Advisory ID: DRUPAL-SA-CONTRIB-2010-109
Projects: Embedded Media Field, Media: Video Flotsam, Media: Audio Flotsam (third-party module)
Version: 5.x and 6.x
Date: 2010-December-08
Security risk: Moderately Critical
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities

Description

1 - Arbitrary File Upload/Code Execution Vulnerability

The Embedded Thumbnail module (packaged with the project) allows users who upload videos to upload their own thumbnails to replace The Drupal Embedded Media Field module. Unfortunately, the Embedded Thumbnail Module contains a vulnerability that could allow arbitrary file upload, as well as potentially remote and potentially code execution. Malicious users can upload arbitrary files with extensions other than .php, .pl, .py, .cgi, .asp, or .js. Many web servers support legacy PHP extensions not included in this list (such as .phtml, or .php3) which would allow attackers to upload and execute arbitrary PHP code. Attackers could also upload malicious documents or other material with virus payload and use these to attack other users or exploit flaws in file include vulnerabilities. This exploit is mitigated by the fact that the site must have a content type with an embedded media field that allows users to upload custom thumbnails, and the user must have access to create or edit the content type.

2 - Embed XSS Vulnerability

The 5.x-1.x and 6.x-1.x versions of the Embedded Media Field module comes packaged with "custom provider files" that allow users to add audio and video files to their site by posting a link to the direct url of an audio or video the field emfield provides. Unfortunately the Embedded Media Field module contains an arbitrary HTML injection vulnerability (also known as cross site scripting, or XSS) due to the fact that it fails to sanitize user supplied audio file paths and embed codes before display. Please note, recently these 6.x-2.x branch of the Embedded Media Field module, the custom audio and video provider files were moved to separate modules: Media: Video Flotsam 6.x-1.2 and Media: Audio Flotsam. This exploit is mitigated by the fact that the site must have a content type with an embedded media field that has the custom audio or video provider file enabled, and the user must have access to create or edit the content type.

Versions affected

Embedded Media Field module for Drupal 6.x versions prior to 6.x-1.26 and 6.x-2.4, and for Drupal 5.x versions prior to 5.x-1.12.
Media: Video Flotsam module for Drupal 6.x versions prior to 6.x-1.2.
Media: Audio Flotsam module for Drupal 6.x versions prior to 6.x-1.1.

Drupal core is not affected. If you do not use the contributed Embedded Media Field module, together with the Embedded Thumbnail Field module or the custom audio and video provider files included in emfield as well as in Media: Audio Flotsam and/or Media: Video Flotsam, there is nothing you need to do.

Solution

Install the latest version:

If you use the Embedded Media Field module for Drupal 6.x upgrade to either Embedded Media Field 6.x-2.4 or Embedded Media Field 6.x-1.26.
If you use the Embedded Media Field module for Drupal 5.x upgrade to Embedded Media Field 5.x-1.12.
If you use the Media: Video Flotsam module upgrade to Media: Video Flotsam 6.x-1.2
If you use the Media: Audio Flotsam module upgrade to Media: Audio Flotsam 6.x-1.1