AusCERT - ESB-2010.1112 - [Win][UNIX/Linux] Drupal third-party modules: Execute arbitrary code/commands

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2010.1112 - [Win][UNIX/Linux] Drupal third-party modules: Execute arbitrary code/commands - Remote with user interaction
Date: 09 December 2010

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2010.1112
 A number of vulnerabilities have been found in Drupal third-party modules
                              9 December 2010

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Who Bought What|Ubercart (Drupal third-party module)
                   Embedded Media Field, Media: Video Flotsam, Media: Audio Flotsam (Drupal third-party module)
Publisher:         Drupal
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Access Privileged Data          -- Remote with User Interaction
                   Modify Arbitrary Files          -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://drupal.org/node/992900
   http://drupal.org/node/992924

Comment: This bulletin contains two (2) Drupal security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

  * DRUPAL-SA-CONTRIB-2010-108
  * Who Bought What|Ubercart (third-party module)
  * Version: 6.x
  * Date: 2010-Dec-08
  * Security risk: Highly Critical
  * Exploitable from: Remote
  * Vulnerability: Multiple Vulnerabilities

- -------- DESCRIPTION ---------------------------------------------------------

The Who Bought What-module collects and displays relevant information about
purchases, including purchaser name, quantity, payment status, and all
attributes. The module does not properly sanitize arguments passed via the
URL when used in SQL queries, leading to a SQL Injection [1] vulnerability.
Additionally, the module neglects to sanitize some of the user-generated
content before displaying it, leading to a Cross-Site Scripting (XSS [2])
vulnerability. Finally, the module allows users with the "view
uc_who_bought_what" permission to view the title of any node in the system,
including unpublished nodes and nodes that user might otherwise not have
access to, which constitutes an Information Disclosure vulnerability.

- -------- VERSIONS AFFECTED ---------------------------------------------------

  * Who Bought What|Ubercart module for Drupal 6.x versions prior to 6.x-2.11.

Drupal core is not affected. If you do not use the contributed Who Bought
What|Ubercart module, there is nothing you need to do.

- -------- SOLUTION ------------------------------------------------------------

Install the latest version:

  * If you use the Who Bought What|Ubercart module for Drupal 6.x upgrade to
    Who Bought What|Ubercart 6.x-2.11 [3]

See also the Who Bought What|Ubercart project page [4].

- -------- REPORTED BY ---------------------------------------------------------

  * The SQL Injection vulnerability was reported by Mark Styles (lambic [5])
  * The XSS and Information Disclosure vulnerabilities were reported by
    mr.baileys [6] of the Drupal.org Security Team

- -------- FIXED BY ------------------------------------------------------------

  * Michael Moradzadeh (Cayenne [7]), module maintainer

- -------- CONTACT -------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact [8].


[1] http://en.wikipedia.org/wiki/SQL_Injection
[2] http://en.wikipedia.org/wiki/Cross-site_scripting
[3] http://drupal.org/node/991762
[4] http://drupal.org/project/uc_who_bought_what
[5] http://drupal.org/user/58843
[6] http://drupal.org/user/383424
[7] http://drupal.org/user/92993
[8] http://drupal.org/contact

_______________________________________________

  * Advisory ID: DRUPAL-SA-CONTRIB-2010-109
  * Projects: Embedded Media Field, Media: Video Flotsam, Media: Audio Flotsam
    (third-party module)
  * Version: 5.x and 6.x
  * Date: 2010-December-08
  * Security risk: Moderately Critical
  * Exploitable from: Remote
  * Vulnerability: Multiple vulnerabilities

- -------- DESCRIPTION ---------------------------------------------------------

.... 1 - Arbitrary File Upload/Code Execution Vulnerability

The Embedded Thumbnail module (packaged with the project) allows users who
upload videos to upload their own thumbnails to replace The Drupal Embedded
Media Field module. Unfortunately, the Embedded Thumbnail Module contains a
vulnerability that could allow arbitrary file upload, as well as potentially
remote and potentially code execution. Malicious users can upload arbitrary
files with extensions other than .php, .pl, .py, .cgi, .asp, or .js. Many web
servers support legacy PHP extensions not included in this list (such as
.phtml, or .php3) which would allow attackers to upload and execute arbitrary
PHP code. Attackers could also upload malicious documents or other material
with virus payload and use these to attack other users or exploit flaws in
file include vulnerabilities. This exploit is mitigated by the fact that the
site must have a content type with an embedded media field that allows users
to upload custom thumbnails, and the user must have access to create or edit
the content type.

.... 2 - Embed XSS Vulnerability

The 5.x-1.x and 6.x-1.x versions of the Embedded Media Field module comes
packaged with "custom provider files" that allow users to add audio and video
files to their site by posting a link to the direct url of an audio or video
the field emfield provides. Unfortunately the Embedded Media Field module
contains an arbitrary HTML injection vulnerability (also known as cross site
scripting, or XSS) due to the fact that it fails to sanitize user supplied
audio file paths and embed codes before display. *Please note*, recently
these 6.x-2.x branch of the Embedded Media Field module, the custom audio and
video provider files were moved to separate modules: Media: Video Flotsam
6.x-1.2 [1] and Media: Audio Flotsam [2]. This exploit is mitigated by the
fact that the site must have a content type with an embedded media field that
has the custom audio or video provider file enabled, and the user must have
access to create or edit the content type.

- -------- VERSIONS AFFECTED ---------------------------------------------------

  * Embedded Media Field module for Drupal 6.x versions prior to 6.x-1.26 and
    6.x-2.4, and for Drupal 5.x versions prior to 5.x-1.12.
  * Media: Video Flotsam module for Drupal 6.x versions prior to 6.x-1.2.
  * Media: Audio Flotsam module for Drupal 6.x versions prior to 6.x-1.1.

Drupal core is not affected. If you do not use the contributed Embedded Media
Field [3] module, together with the Embedded Thumbnail Field module or the
custom audio and video provider files included in emfield as well as in
Media: Audio Flotsam [4] and/or Media: Video Flotsam [5], there is nothing
you need to do.

- -------- SOLUTION ------------------------------------------------------------

Install the latest version:

  * If you use the Embedded Media Field module for Drupal 6.x upgrade to
    either Embedded Media Field 6.x-2.4 [6] or Embedded Media Field 6.x-1.26
    [7].
  * If you use the Embedded Media Field module for Drupal 5.x upgrade to
    Embedded Media Field 5.x-1.12 [8].
  * If you use the Media: Video Flotsam module upgrade to Media: Video Flotsam
    6.x-1.2 [9]
  * If you use the Media: Audio Flotsam module upgrade to Media: Audio Flotsam
    6.x-1.1 [10]

- -------- REPORTED BY ---------------------------------------------------------

  * Stella Power (stella) [11], of the Drupal security team

- -------- FIXED BY ------------------------------------------------------------

  * Stella Power (stella) [12]
  * Matthew Klein (kleinmp) [13], module co-maintainer

- -------- CONTACT -------------------------------------------------------------

The Drupal security team [14] can be reached at security at drupal.org or via
the form at http://drupal.org/contact [15].

[1] http://drupal.org/project/media_video_flotsam
[2] http://drupal.org/project/media_audio_flotsam
[3] http://drupal.org/project/emfield
[4] http://drupal.org/project/media_audio_flotsam
[5] http://drupal.org/project/media_video_flotsam
[6] http://drupal.org/node/992912
[7] http://drupal.org/node/992910
[8] http://drupal.org/node/992906
[9] http://drupal.org/node/992918
[10] http://drupal.org/node/992916
[11] http://drupal.org/user/66894
[12] http://drupal.org/user/66894
[13] http://drupal.org/user/390447
[14] http://drupal.org/security-team
[15] http://drupal.org/contact

_______________________________________________

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFNAEvx/iFOrG6YcBERAjKfAJ4oRClEIXnLrISX7pH/LDnQ8HZFxQCfdPUI
zjB39mcla7Pp1+GUIMPbXMI=
=Gk0Q
-----END PGP SIGNATURE-----