XSS in Vimeo video ID

Created on 30 May 2022, over 2 years ago
Updated 23 May 2024, 6 months ago

Problem/Motivation

The 7.x-2.x version of the module does not have a stable release, therefore I'm reporting this minor security issue in public.

This module has an XSS vulnerability. The module does not sanitize the video ID field that is returned from the Vimeo API and prints it to HTML without sanitization. This vulnerability is mitigated by the fact that an attacker would have to either
1) compromise the Vimeo service that returns the data or
2) Perform a man in the middle attack on the unencrypted request that the Drupal site is sending to Vimeo.

The Drupal 8 version of this module is not affected.

Steps to reproduce

You can see this vulnerability by:
1. Enabling the module
2. As an admin add a video embed field to a content type
3. Add a node with the video field set to a vimeo URL, for example https://vimeo.com/1084537
4. Simulate a man in the middle attack by injecting malicious content for the video_id with a patch like this:

diff --git a/video_embed_field.handlers.inc b/video_embed_field.handlers.inc
index 1962008..93ec7cf 100644
--- a/video_embed_field.handlers.inc
+++ b/video_embed_field.handlers.inc
@@ -460,7 +460,9 @@ function _video_embed_field_get_vimeo_data($url) {
   $response = drupal_http_request($oembed_endpoint . '.json?url=' . rawurlencode($url));
 
   try {
-    return json_decode($response->data, TRUE);
+    $result = json_decode($response->data, TRUE);
+    $result['video_id'] = '0"></iframe><script>alert("XSS");</script>';
+    return $result;
   } catch (Exception $e) {
     return FALSE;
   }

5. Visit the node page and see the malicious script being executed.

Proposed resolution

Run check_plain() on the Vimeo video ID the same way as it is done for Youtube in _video_embed_field_get_youtube_id().

Remaining tasks

Review the patch.

🐛 Bug report
Status

RTBC

Version

2.0

Component

Code

Created by

🇦🇹Austria klausi 🇦🇹 Vienna

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024