- Advisory ID: DRUPAL-SA-CONTRIB-2010-066
- Project: FileField (third-party module)
- Version: 5.x, 6.x
- Date: 2010-June-16
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
FileField module integrates with the Content Construction Kit to provide a file upload field. It also integrates with the Views and Token modules.
The module does not sanitize some of the user-supplied data before displaying it (for Drupal 6.x-3.x only), or before adding it to tokens (both 5.x-2.x and 6.x-3.x), leading to a Cross Site Scripting (XSS) vulnerability that may lead to a malicious user gaining full administrative access.
This vulnerability is mitigated by the fact that the attacker must be able to create or edit content with a FileField, and the site administrator must have configured a vulnerable display format ('Path to File' or 'URL to File') or be using token containing the filename, filepath, or description.
Versions affected
- FileField module for Drupal 5.x versions prior to 5.x-2.5
- FileField module for Drupal 6.x versions prior to 6.x-3.4
Drupal core is not affected. If you do not use the contributed FileField module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the FileField module for Drupal 5.x upgrade to FileField 5.x-2.5
- If you use the FileField module for Drupal 6.x upgrade to FileField 6.x-3.4
See also the FileField project page.
Reported by
- Justin Klein Keane
- Peter Wolanin of the Drupal security team
Fixed by
- Peter Wolanin of the Drupal security team
- Justin Klein Keane
- Nathan Haug, the module maintainer
Contact
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.