see also: PSA regarding 'administer content types' permission http://drupal.org/node/372836

Based on this PSA and security team policy regarding vulnerabilities only accessible via this administrator permission, this bug can be fixed through a public process.

This bug was reported to the security team by Justin C. Klein Keane:

The Embedded Media Field module contains a XSS vulnerability because it
does not properly sanitize the output of 'Help text', 'Custom thumbnail
label', of 'Custom thumbnail description' specified when creating an
Embedded Media Field content type field.

Systems affected:
- -----------------
Drupal 6.12 with CCK 6.x-2.2 and Embedded Media Field 6.x-1.0 was tested
and shown to be vulnerable.

Impact:
- -------
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.

Mitigating factors:
- -------------------
The Embedded Media Field module must be installed.  Only users who have
rights to create content or administer content types are exposed to this
attack vector, although these accounts are generally privileged,
representing a greater risk.  'Administer content types' privilege is
required to carry out the proof of concept below, although other vectors
may exist.

Proof of concept:
- -----------------
1.  Install Drupal 6.12 and CCK.
2.  Install Embedded Media Field and enable all Print functionality through Administer-> Modules.
3.  Adjust fields in the 'Story' content type by clicking on Administer- -> Content management -> Content types, then clicking 'manage fields' next to 'Story'
4.  In the 'Add' field type in an arbitrary field label and field name in the 'New field' area
5.  Select 'Embedded Video' from the 'Type of data to store' drop down
6.  Click the 'Save' button
7.  On the resultant screen fill in "<script>alert('custom thumbnail label xss');</script>" in the "Custom thumbnail label:" text field
8.  Fill in "<script>alert('custom thumbnail description xss');</script>" in the "Custom thumbnail description:" text field
9.  Fill in "<script>alert('help text xss');</script>" in the "Help
text:" text field
10. Click the 'Save field settings' button
11. Create new content of the type by clicking the 'Create content' link
then the 'Story' link
12.  Observe multiple JavaScript alerts

Comments

aaron’s picture

aaron commented
Priority: Normal » Critical

Thanks, I'll get this fixed by the morning.

aaron’s picture

aaron commented
Version: 6.x-1.x-dev » 5.x-1.x-dev
Status: Active » Patch (to be ported)

This is fixed in d6-dev. Just going to go through a few other issues before making a new release. I'll need to backport to d5 as well.

aaron’s picture

aaron commented
Status: Patch (to be ported) » Fixed

ok, fixed in d5-dev as well. will create new releases for both momentarily.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.