Drupal FileField Module XSS Vulnerability

["Justin C. Klein Keane" <justin () madirish net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FileField 6.x-3.3 Arbitrary Script Injection Vulnerability

CVE-2010-1958

Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL.  The Drupal FileField module
(http://drupal.org/project/filefield) "provides a universal file upload
field for CCK. It is a robust alternative to core's Upload module and an
absolute must for users uploading a large number of files. Great for
managing video and audio files for podcasts on your own site."  The
FileField module contains a cross site scripting (XSS) vulnerability due
to the fact that it fails to sanitize image filenames before display.

Systems affected:
- -----------------
Drupal 6.16 with CCK 6.x-2.6 and FileField 6.x-3.3 was tested and shown
to be vulnerable.

Impact
- ------
Users who have rights to create content may upload files (including
images) with malicious names that could result in script execution.
This could result in administrative account compromise leading to web
server process compromise.

Mitigating factors:
- -------------------
Attacker must have rights to create content of a type that employs an
FileField CCK element.  This would include most content that had
attachments including imagery, documents, etc.

Additionally, Drupal's file handling must be set to Public in the File
system settings at ?q=admin/settings/file-system.  This is the default
configuration.

Further Details:
- ----------------
Further details about this vulnerability can be found at
http://www.madirish.net/?article=461

Vendor Response:
- ------------------------------------------
Vendor has responded by releasing a fixed version and a detailed
security announcement.  Vendor response is fully detailed in
SA-CONTRIB-2010-066 (http://drupal.org/node/829808)

- -- 
Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkwaHF0ACgkQkSlsbLsN1gC1Nwb+PFlE/a/PtZJdjnI3IO18FzaV
nZkEfBlngdsHZLW+G9qoaXyORZ781uIkRtQJMEQBEKBFWAYfPAuvAk2eq7xxhoZl
X8zrKtJYb7gkWZO+7iBGs0q/ah7FKLCPr578SgMcilCLn7OmjkEFJOqRH0Fb2kVu
beiL3N5vEVI4Qz/qygglMvsFyRm4v22l8SeYKFrs/e7x+NR8puQjVvSeF5dFSQ7x
oqJrdPqD29fO3sfKVR/IqIGwFg+nzLUrvmqT4p7HSsxjbc5IXGRn+MohbRz/RS1C
rzqZI/ytPkuBp2XRqdI=
=EpO+
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/