-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Details of this disclosure are also available at
http://www.madirish.net/?article=472


Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL.  The Drupal Embedded Media Field module
(http://drupal.org/project/emfield) "will create fields for content
types that can be used to display video, image, and audio files from
various third party providers"  Unfortunately the Embedded Media Field
module contains an arbitrary HTML injection vulnerability (also known as
cross site scripting, or XSS) due to the fact that it fails to sanitize
user supplied audio file paths and custom embed code.

Systems affected:
- -----------------
Drupal 6.19 with Embedded Media Field 6.x-1.25 and CCK 6.x-2.8 was
tested and shown to be vulnerable

Impact
- ------
Users could inject arbitrary scripts into pages affecting other site
users.  This could result in administrative account compromise leading
to web server process compromise.  A more likely scenario would be for
an attacker to inject hidden content (such as iframes, applets, or
embedded objects) that would attack client browsers in an attempt to
compromise site users' machines.  This vulnerability could also be used
to launch cross site request forgery (XSRF) attacks against the site
that could have other unexpected consequences.

Mitigating factors:
- -------------------
In order to exploit this vulnerability the attacker must have the
ability to edit content of a content type with an embedded media field.

Proof of concept:
- -----------------
1.  Install Drupal 6-19, CCK module, and Embedded Media Field module
version 6.x-1.25
2.  Enable the Content, Embedded Media Field, Embedded Audio Field
modules from ?q=/admin/build/modules
3.  Alter the default 'Story' content type at
?q=admin/content/node-type/story/fields
4.  Add a 'New Field' in the form at the bottom of this page with the
label 'audio' the field name 'field_audio' the type 'Embedded Audio' and
the form element '3rd Party Aduio' then click the 'Save' button
5.  Configure the new video field from
?q=admin/content/node-type/story/fields/field_video
6.  Select all content providers for convenience and click 'Save field
settings' button at the bottom of the form
7.  Create a new piece of story content from ?q=node/add/story entering
arbitrary values.
8.  Enter "'/><script>alert('xss');</script><embed
onshow='alert("foo");'
src='http://traffic.libsyn.com/pauldotcom/PaulDotCom-SW-217pt2.mp3" in
the 'audio:' text field
9.  Click the 'Save' and observe the rendered JavaScript alert whenever
the node is displayed

Patch:
- ------------------------------------------
Applying the following patch mitigates this issue in version 6.x-1.25

- --- emfield/contrib/emaudio/providers/custom_url.inc  2009-06-26
14:31:00.000000000 -0400
+++ emfield/contrib/emaudio/providers/custom_url.inc  2010-11-05
15:17:08.000000000 -0400
@@ -110,6 +110,7 @@ function emaudio_custom_url_rss($item, $
 }

 function theme_emaudio_custom_url_flash($url = NULL, $width = 0,
$height = 0, $field = NULL, $data = array(), $node = NULL, $autoplay =
FALSE) {
+  $url=str_replace("'", '', $url);  //this should be a URL validator
instead
   // Display the audio using Flowplayer if it's available.
   if (module_exists('flowplayer')) {
     $config = array(

Vendor Response
- ---------------
http://drupal.org/node/992924


- -- 
Justin Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed using
the public key at http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAk0BFaEACgkQkSlsbLsN1gAcRAb/UI8b0S22tSsvwfimbi9mQSpr
wkKheh8Z/b+GGrYSYMh94acQlHJsnIMwRxVK1VJrlYm/IJd4lYJ/B5ZAlRwPryqx
K7POTeJSJ0zlOLaMkO6Gdblu0p8KmJEIglR8nU+R0+//wfBV4wmG5DuuV3k0v48l
1FC3rdmsBwup17wI7gXR5qc+Ck82p2oB90tiJHKwsfS55DTN3dfMFzL41E04GlsA
rtf950j8Tutp4MsvRK+f5yIOiyyo/DzJWBa1CdZ5FjryBmuiMg1ianpCO9RD6DwH
dqFte4LY8hztccAPXeI=
=bVtj
-----END PGP SIGNATURE-----