1. SCOPE:

At least Drupal 'MP3 Player' contrib module versions 6.1.1.x

2. BACKGROUND:

The Drupal 'MP3 Player' contrib module brings
the WordPress Audio Player to Drupal.

The WordPress Audio Player web page is here ...
http://wordpress.org/extend/plugins/audio-player/ [1]
The Drupal module shares the same 'player.swf' file as the WordPress
Audio Player.

Part of the instructions for installing the Drupal MP3 Player contrib
module is to
"1. Download the WordPress Standalone Audio Player
(http://wpaudioplayer.com/download [2])
2. Drop the audio-player.js and player.swf files from the WordPress
Standalone Audio Player download into this directory."

So security issues with those files are also security issues for Drupal
installations that use them.

3. PROBLEM:

The WordPress Audio Player recently has this XSS vulnerability
identified and resolved
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1464 [3]
which was also referenced here ...
http://www.us-cert.gov/cas/bulletins/SB13-042.html [4]
The problem also exists on Drupal sites.

4. PROBLEM DETECTION:

4.1 The problem can be reproduced with this URL...
/sites/all/modules/contrib/mp3player/mp3player/player.swf?playerID=a\%22%29%29}catch%28e%29{alert%28document.domain%29}//

4.2 The problem can also be detected by adding this code temporarily to your mp3player.module file
and then viewing the site status report (/admin/reports/status) ...

function mp3player_requirements($phase) {
if ($phase == 'runtime') {
$md5_for_player_in_ver_2046 = '4204f395024d6454a3bcb06bcce868b7';

$module_path = drupal_get_path('module', 'mp3player');
$md5_for_player_in_installed_ver = md5_file($module_path . '/mp3player/player.swf');

if ($md5_for_player_in_installed_ver === $md5_for_player_in_ver_2046) {
$severity = REQUIREMENT_OK;
$value = 'player.swf is version 2.0.4.6';
$description = '';
}
else {
$severity = REQUIREMENT_ERROR;
$value = 'player.swf is not version 2.0.4.6.';
$description = 'You may have a security issue. Some earlier versions do not sufficiently sanitize input. If your player.swf file was downloaded before March 2013 then you should download a new version (2.0.4.6 or later) from wpaudioplayer.com .';
}

$status = array();
$status['MP3 Player'] = array(
'title' => 'MP3 Player',
'value' => $value,
'description' => $description,
'severity' => $severity);

return $status;
}
}

4.3 The module should include this patch so that folks can tell if they need to upgrade the player OR it should include the player in the module and there should be a new version of the module.

5. SOLUTION:

The problem is solved for the The WordPress Audio Player version 2.0.4.6

You can see the fixed source code here ...
http://trac.assembla.com/1pixelout/browser/audio-player/tags/2.0.4.6 [5]
and player.swf WITH THE FIX in it can be downloaded from here ...
http://wordpress.org/extend/plugins/audio-player/developers/ [6]

For Drupal the fix is to replace your player.swf, with a the fixed
player.swf file, from a download of the WordPress Audio Player version
2.0.4.6.

6. REFERENCED URL FOOTNOTE

[1] http://wordpress.org/extend/plugins/audio-player/
[2] http://wpaudioplayer.com/download
[3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1464
[4] http://www.us-cert.gov/cas/bulletins/SB13-042.html
[5] http://trac.assembla.com/1pixelout/browser/audio-player/tags/2.0.4.6
[6] http://wordpress.org/extend/plugins/audio-player/developers/

Files: 
CommentFileSizeAuthor
#9 vako.zip2.77 MBmcdazz

Comments

If the solution is just to replace your player.swf file, then why can't the maintainer do so and re-activate the module?
It's an amazing module and shame if we loose it.

@Vako : Good question. Even if the former maintainer isn't available anymore, any other development god should be able to do this. Too bad ordinary people don't even get full project privileges at d.o :-(

Alternatively, what would another "active" maintained module be? When I decided for the 'MP3 player' module a while ago, I found this the only Drupal module for this task working at all…

I completely agree.

This is a fantastic module, and for Drupal 6 at least, there's nothing that I have found to replace it, as a few other "current" modules just don't work, or work with an older version of flash that also happens to have XSS security issues.

I've spent the better half of the night searching for a replacement, and the closest I've come is to a tutorial I found earlier - http://www.thinkingcap.com.au/news/drupal-using-node-displays-and-displa... , although, I'd suggest using the tutorial as a possible basis and looking at an updated version of JW-Player or another player completely.

If it helps, I've managed to get a HTML5 audio player (audio.js) with flash backup working on a Drupal 6 site (I was specifically looking for something that would work on a Drupal 6 site I look after).

Best of all is that it handles playlists (one of the few that I found).

Short version of what I did was:

1. Downloaded the necessary audio.js files to sites/all/libraries/audiojs
2. Created a small module that handles a couple of jQuery scripts using drupal_add_js
3. Configured Drupal 6 to use a more recent jQuery version - see https://drupal.org/node/1058168 for details
4. Added a content-type and a filefield for mp3 files
5. Added a view to handle the playlist (required a views template), configured the view to output the required links (ie Rewrite the output of this field and use a field format of 'path to file'), and configured the Style to output a HTML Ordered list with inline fields.

If you're handy with views, it's all very easy.

I haven't tried this on Drupal 7 yet, but should work in a relatively similar fashion.

I'm currently working on some documentation with screen caps if people are interested.

If I can get my head around Drupal module development, I'll try to turn it into a fully fledged Drupal module.

Hi Darren, I am interested in your solution and waiting for the screen caps instructions. No rush for me.

Hi Vako,

If you're using Drupal 6, I can make it a whole lot easier as I've created two modules (not up on Drupal.org) that work in conjunction with each other.

Module one creates an Audio Content-Type with a CCK Filefield for uploading MP3's.

Module two creates the required Views, as well as sets up the display using a Views template.

From there it's just a matter of downloading the audio.js files, putting them into the libraries folder, and then setting up the Drupal 6 install so that jQuery 1.4.4 (or later) works.

So far, I've only been testing on Drupal 6, but in Dev testing, it's worked perfectly.

I'll see if I can whiz up doco and/or a screencast to show how I've done it.

I'll let you know (within a day or two at most).

Cheers,
Darren

Interesting - I wasn't aware at the time as I was looking for a Drupal 6 HTML5 player, however, there is already an audio.js module available for Drupal 7 (I've yet to play with it as I've only just found it).

If you're still after a Drupal 6 version, I've finished the documentation for the modules I've created.

I'm a bit hesitant about uploading it here (due to the Drupal 7 version) as I don't want to cause any confusion with that project.

Yes, I am using Drupal 6 and am very much interested in your module updates. No harm in uploading the patches or modules here. Thanks a lot!

StatusFileSize
new2.77 MB

Excellent - I've attached one zip file containing two modules, the documentation, and a text file containing my email address if you need to contact me direct.

Just keep in mind that this isn't part of the 'official' Drupal module for audio.js, it's just my module.

Let me know how you go with it, and if you've got any suggestions, please let me know as well.

Cheers,
Darren

Thank you Darren, I will test this on the weekend and give you my feedback.

No worries - I look forward to your feedback.

I need a solution to this for a D6 site that is using mp3player heavily. From reading the above it seems I may lose all the history(play count) if I have to switch from using the mp3player to another player. I'm not sure though. Basically my situation is that I already have a content type that has a audio field that uses the mp3player to format the audio in the view. I need to be able to switch without losing any data if possible.

Hi people,
I have started a sandbox project with a 7.x version of this without the XSS vunerablility. Basically I moved the .swf out of the module and into the libraries. I'll add a 6.x version soon, but you can follow it at https://drupal.org/sandbox/markie/2047237

Thanks markie, why don't you become the maintainer of the original MP3 Player and remove the security issue from it and make it better?

Darren, I still didn't get a chance to test your patch, but I will.

No worries Vako.

I tested it out on a completely default Drupal 6 install (with the default theme) and it worked perfectly.

@ banghouse: It kept a history?

Vako
I am working on doing that, but it's a long process. That's why I added the sandbox quickly.

@markie, sorry for the naive question; can you let me know how I can use the sandbox please? I clicked on the link and didn't get anywhere. It's my 1st time...but willing to learn.

@Vako: You'll need to have an understanding of Git to use the Sandbox project mentioned by markie.

This should hopefully help - https://drupal.org/node/1013552

Folks I am working with the security team to get this module breathing again. Bear with me

Assigned:Unassigned» markie
Status:Active» Patch (to be ported)

Patch at https://drupal.org/node/2050425 put's the player into the libraries folder which would resolve this issue. Once I get maintainer status, I will add a release.

Thanks Mark, can't wait to see this module revived!
Also thanks Darren for all the work you did before, now we have two options to work with. I hope Darren's work can become a module as well.

Status:Patch (to be ported)» Needs review

All
I have created a new 6.x-2.x branch for this project that uses the libraries module and external audio-player file. Please, someone check it out so we can get these security issues cleared and activate our module again.

thanks.

I can't find it, please indicate the link.
Thanks a lot for you work, "there's a light at the end of the tunnel" :)

Vako
I was asked not to create a release so you'll have to check it out of git directly by using this command: Note: [username] is your git username which should be your D.O name.

git clone --branch 6.x-2.x [username]@git.drupal.org:project/mp3player.git
cd mp3player

Thanks for your quick reply. Once we get someone to check this out and mark it 'reviewed and tested' we can start pushing releases.

Here's hoping the light at the end of the tunnel isn't a train..

OK, I downloaded the module and got the following error:
Fatal error: Call to undefined function libraries_get_path() in /home/wwwhaya/public_html/sites/all/modules/mp3player/mp3player.module on line 635

ran update.php which was not necessary. Also created the mp3player folder with the player.swf and audio-player.js files in it, as before.

Hope this helps identify the issue.

Vako
Thanks for participating. I just pushed an update to the README.txt. One of the security issues was the location of the player. Can you do a git pull and follow the instructions in the new README.txt, then let me know if you have any issues?

I published https://drupal.org/node/352937 for 6.x.

@markie - feel free to create a 7.x-1.x-dev release for folks to easily test.

I kept the same files, but moved the js files to /sites/all/libraries/audio-player, still I'm getting the same error as above.
I ran update.php and cleared the cache.

I am using Drupal 6.28

Vako
Did you download and enable the libraries module?

I downloaded the same files and moved the folder to /sites/all/libraries/audio-player, isn't that the process?
If you can let me know the steps, I will do it again.

Vako
Downloading the files is great, but Drupal needs the libraries module to know where it is.

A) I copied the module files to the sites\all\modules folder
B) Enabled the module
C) Downloaded the library files from the link provided in the readme.txt file and copied it to the /sites/all/libraries/audio-player folder.

What am I missing here?