-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Drupal Imagefield Module Multiple Vulnerabilities

Security Risk: High
Exploitable: Remotely
Vulnerabilities:  Arbitrary File Upload, Cross Site Scripting
Discovered by:  Justin C. Klein Keane, Andrew Rosborough
Tested:  Imagefield 5.x-2.2 on Drupal 5.15

Description

Drupal (http://drupal.org) is a robust content management system (CMS)
that provides extensibility through hundreds of third party modules.
While the security of Drupal core modules is vetted by a central
security team(http://drupal.org/security), third party modules are not
reviewed for security.

The Imagefield module (http://drupal.org/project/imagefield) is a module
that extends the Drupal CCK (Content Creation Kit) module
(http://www.drupal.org/project/cck) by allowing users to add image
fields to custom content types.


Arbitrary File Upload Vulnerability

Two flaws exist in this module.  The first flaw allows for an attacker
to upload arbitrary files to the filesystem.  The vulnerability allows
attackers to upload arbitrary files in place of the 'Default image'
specified in the Imagefield specifications for a content type field.
Files are uploaded to Drupal's /files/imagefield_default_files/
directory on a default installation (with files specified as the default
upload directory through Drupal's administrative configuration - this
may vary).

Mitigating Factors

Attackers must be authenticated with an account that has 'administer
content types' permissions.  Additionally, Drupal protects the files
directory, and subdirectories with an .htaccess file located in the
files directory that specifies:

SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options +FollowSymLinks

This will prevent the direct execution of PHP files.  Additionally
Drupal's file_check_upload() function munges the file extensions that
match PHP, PL, PY, CGI, ASP, and JS with the following code:

// Rename potentially executable files, to help prevent exploits.
if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) &&
 (substr($file->filename, -4) != '.txt')) {
      $file->filemime = 'text/plain';
      $file->filepath .= '.txt';
      $file->filename .= '.txt';
  }

Exploiting the File Upload Vulnerability

To exploit the vulnerability:

1.  Log in as a user with 'Administer content types' privilege
2.  Click Administer -> Content Types
3.  Click 'Add content type'
4.  Fill in required text in the Identification, Submission and other
fieldsets
5.  Click 'Save content type' button
6.  Click 'edit' under the Operations column on the 'Administer' ->
'Content management' screen for the new content type
7.  Click 'Add field'
8.  Fill in the 'Name' text box in the 'Create new field' fieldset and
select the 'Image' radio button
9.  Click the 'Create field' button
10.  In the next screen (assuming the new field was named 'test' and the
new type was named 'test' this will be in Home > Administer > Content
management > Content types > test) scroll down to the 'Data settings'
fieldset
11.  Click the 'Browse' button in the 'Default image' fieldset and
select a file from your filesystem.
12.  Click 'Save field settings' button
13.  Log into your server and do a directory listing of the upload
directory to verify the new file has been uploaded.

# cd /var/www/html/drupal-5.15/files/imagefield_default_images/
# ls
- - -rw-rw-r-- 1 apache apache    18 2009-01-22 10:22 field_test_0.exe

14.  Browse to the file (assuming Drupal is running at the doc root):
http://192.168.0.50/files/imagefield_default_images/field_test_0.exe

Cross Site Scripting (XSS) Vulnerability

The Imagefield module also contains a XSS vulnerability in the 'Help'
field.  Any user with rights to administer content types can edit a
content type that contains an image field or create a content type that
contains an image field.  In the 'Widget settings' fieldset presented
during configuration of the specific image field a textarea labeled
'Help text:' is presented.  Arbitrary script can be entered into this
text area and it is not escaped.  This vulnerability is especially
dangerous because the script executes whenever a user creates new
content of the type with the XSS infected help text.  This potentially
exposes site administrators to the XSS attack.

- --
Justin C. Klein Keane
http://www.MadIrish.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBSYG6EZEpbGy7DdYAAQJChgb+LUEHPrQ1GboCjvl7aKeUx7KRtu56IBnj
txM6pKTjBNI42iaTIKnMK+acBtcoN5TJhtyMsrOfjaLEFsjT08Sc0WQKk8H8LAMw
rb9qWO1L01MqnbyByUZSDltyV9BI4z5dI8ekjowsL6KcrZfGPCumBt8m+FuzxPLX
vXQ+huGZQihq3lmmbdd0gc83f6hvIG6MADha6yutv1tY0H0Y1B06ZAkizh+LUvhu
mY3u6LrIWZqnZr/NRAcsX09q+4AHp+3w8va/8kx7EixzkiWK8NwXGLL+MWatT5sq
zv/ZgrnspW4=
=zBEx
-----END PGP SIGNATURE-----