what you don't know can hurt you

Drupal FileField 6.x-3.3 Arbitrary Script Injection

Drupal FileField 6.x-3.3 Arbitrary Script Injection
Posted Jun 18, 2010
Authored by Justin C. Klein Keane

Drupal FileField version 6.x-3.3 suffers from an arbitrary script injection vulnerability.

tags | advisory, arbitrary
advisories | CVE-2010-1958
MD5 | 3ef3a39a5b1646bdf89894953b6a2774

Drupal FileField 6.x-3.3 Arbitrary Script Injection

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FileField 6.x-3.3 Arbitrary Script Injection Vulnerability

CVE-2010-1958

Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL. The Drupal FileField module
(http://drupal.org/project/filefield) "provides a universal file upload
field for CCK. It is a robust alternative to core's Upload module and an
absolute must for users uploading a large number of files. Great for
managing video and audio files for podcasts on your own site." The
FileField module contains a cross site scripting (XSS) vulnerability due
to the fact that it fails to sanitize image filenames before display.

Systems affected:
- -----------------
Drupal 6.16 with CCK 6.x-2.6 and FileField 6.x-3.3 was tested and shown
to be vulnerable.

Impact
- ------
Users who have rights to create content may upload files (including
images) with malicious names that could result in script execution.
This could result in administrative account compromise leading to web
server process compromise.

Mitigating factors:
- -------------------
Attacker must have rights to create content of a type that employs an
FileField CCK element. This would include most content that had
attachments including imagery, documents, etc.

Additionally, Drupal's file handling must be set to Public in the File
system settings at ?q=admin/settings/file-system. This is the default
configuration.

Further Details:
- ----------------
Further details about this vulnerability can be found at
http://www.madirish.net/?article=461

Vendor Response:
- ------------------------------------------
Vendor has responded by releasing a fixed version and a detailed
security announcement. Vendor response is fully detailed in
SA-CONTRIB-2010-066 (http://drupal.org/node/829808)

- --
Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkwaHF0ACgkQkSlsbLsN1gC1Nwb+PFlE/a/PtZJdjnI3IO18FzaV
nZkEfBlngdsHZLW+G9qoaXyORZ781uIkRtQJMEQBEKBFWAYfPAuvAk2eq7xxhoZl
X8zrKtJYb7gkWZO+7iBGs0q/ah7FKLCPr578SgMcilCLn7OmjkEFJOqRH0Fb2kVu
beiL3N5vEVI4Qz/qygglMvsFyRm4v22l8SeYKFrs/e7x+NR8puQjVvSeF5dFSQ7x
oqJrdPqD29fO3sfKVR/IqIGwFg+nzLUrvmqT4p7HSsxjbc5IXGRn+MohbRz/RS1C
rzqZI/ytPkuBp2XRqdI=
=EpO+
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    1 Files
  • 2
    Dec 2nd
    16 Files
  • 3
    Dec 3rd
    17 Files
  • 4
    Dec 4th
    23 Files
  • 5
    Dec 5th
    11 Files
  • 6
    Dec 6th
    10 Files
  • 7
    Dec 7th
    1 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    15 Files
  • 10
    Dec 10th
    30 Files
  • 11
    Dec 11th
    8 Files
  • 12
    Dec 12th
    20 Files
  • 13
    Dec 13th
    6 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close