exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Drupal MP3 Player Cross Site Scripting

Drupal MP3 Player Cross Site Scripting
Posted Feb 2, 2010
Authored by Martin Barbella

Drupal's MP3 Player module version 6.x-1.0-beta1 suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | bea709af4e24c40c41d70a3135a1196e412d132182f2fa56f7e35583b5bfc365

Drupal MP3 Player Cross Site Scripting

Change Mirror Download
XSS vulnerability in Drupal's MP3 Player contributed module (version
6.x-1.0-beta1)

Discovered by Martin Barbella <martybarbella@gmail.com>

Description of Vulnerability:
-----------------------------
Drupal is a free software package that allows an individual or a
community of users to easily publish, manage and organize a wide
variety of content on a website. (From: http://drupal.org/about)

The MP3 Player module allows users to use the WordPress Audio Player in Drupal.

The name of the mp3 file is not properly sanitized when the javascript
to create the audio player is generated, resulting in a cross site
scripting vulnerability.

The module also fails to sanitize various inputs on the MP3 player
administration page. In the cases where the user is prompted for 6
digit hex values to use as colors for the player, it will only check
that the value is 6 characters long, and will not verify that it is
hexadecimal, but as this is both difficult to exploit, and requires
that the user can administer the MP3 player module, the rest of this
report will only focus on the previous vulnerability.

Systems affected:
-----------------
This has been confirmed in MP3 Player 6.x-1.0-beta1. Other versions
may also be affected.

Impact:
-------
Stored attacks are those where the injected code is permanently stored
on the target servers, such as in a database, in a message forum,
visitor log, comment field, etc. The victim then retrieves the
malicious script from the server when it requests the stored
information. (From OWASP:
http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29)

Mitigating factors:
-------------------
A user must have permission to create nodes of a type that use the audio player.

Proof of concept:
-----------------
1. Install the MP3 Player module and its dependencies.
2. Create a new content type with a file field that accepts mp3s.
3. Make sure that MP3 Player will be used with the field that you have created.
4. Create a file named "+alert(document.cookie)+".mp3
5. Create a node with the new content type, and upload this file.
6. Note that an alert box will be displayed when viewing this node.

Timeline:
---------
2010-01-14 - Drupal Security notified
2010-02-01 - Still no response from Drupal Security
2010-02-01 - Public disclosure
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close