• Advisory ID: DRUPAL-SA-2007-009.
  • Project: getID3 (third-party library) used by Audio and Mediafield
  • Version: getID3 1.7.1
  • Date: 2007-Feb-16
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Arbitrary code execution

Description

The getID3 library used by Audio and Mediafield contains a directory with scripts demonstrating use of the library. These scripts allow any visitor to browse the filesystem, read and delete files or write to zero-byte files or files with an mp3 extension. These actions are only limited by the privileges of the user account the server uses to execute the scripts.

This may even lead to the execution of arbitrary code.

Execution of arbitrary code is facilitated by the way Audio and Mediafield implement upload functionality.

Versions affected

  • getID3 1.7.1.
  • Mediafield 4.7.x-1.x-dev.
  • Mediafield 5.x-1.x-dev.
  • Audio 4.7.x-1.x-dev.
  • Audio 5.x-0.2.
  • Audio 5.x-0.x-dev.

Drupal core is not affected. If you do not use the getID3 library, there is nothing you need to do.

Solution

Remove the getID3 demos folder or upgrade to getID3 1.7.8b1.

In addition:

  • If you use Mediafield 4.7.x upgrade to 4.7.x-1.0.
  • If you use Mediafield 5.x upgrade to 5.x-1.0.
  • If you use Audio 4.7.x upgrade to 4.7.x-1.0.
  • If you use Audio 5.x upgrade to 5.x-0.3.

See also the Audio project page.
See also the Mediafield project page.

Reported by

John Forsythe.

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.