XSS vulnerability in Drupal's MP3 Player contributed module (version
6.x-1.0-beta1)
Discovered by Martin Barbella <[email protected]>
Drupal is a free software package that allows an individual or a
community of users to easily publish, manage and organize a wide
variety of content on a website. (From: http://drupal.org/about)
The MP3 Player module allows users to use the WordPress Audio Player in Drupal.
The name of the mp3 file is not properly sanitized when the javascript
to create the audio player is generated, resulting in a cross site
scripting vulnerability.
The module also fails to sanitize various inputs on the MP3 player
administration page. In the cases where the user is prompted for 6
digit hex values to use as colors for the player, it will only check
that the value is 6 characters long, and will not verify that it is
hexadecimal, but as this is both difficult to exploit, and requires
that the user can administer the MP3 player module, the rest of this
report will only focus on the previous vulnerability.
This has been confirmed in MP3 Player 6.x-1.0-beta1. Other versions
may also be affected.
Stored attacks are those where the injected code is permanently stored
on the target servers, such as in a database, in a message forum,
visitor log, comment field, etc. The victim then retrieves the
malicious script from the server when it requests the stored
information. (From OWASP:
http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29)
A user must have permission to create nodes of a type that use the audio player.
2010-01-14 - Drupal Security notified
2010-02-01 - Still no response from Drupal Security
2010-02-01 - Public disclosure