Highly Critical Security Flaws In Drupal Audio Module

I have discovered several critical security flaws in the Drupal Audio module, one of which could allow anyone to upload and execute arbitrary code. The issues all stem from the getID3 library, an open source package used by the Audio module to read metadata from files. Included with the library are a set of demo files which, when properly manipulated, can be used to read, delete, upload, and run files without permission.

The Audio module installation instructions direct users to download and unpack the complete getID3 library to their server, with no mention of removing the demo files. The result is that tens of thousands of webmasters (according to a quick Google search) have unknowingly uploaded the insecure demo files to their servers, exposing themselves to serious risks.

Furthermore, this same problem also affects the less popular Mediafield module.

If you have Audio or Mediafield installed on your site, your best course of action is to immediately delete the getID3 demo files, and update your modules to the latest versions.

The issue has been reported to Drupal security, and an official notice has been posted here. The issue has been classified as a "highly critical" security risk.

Disclaimer: This notice has been posted strictly to help inform webmasters of a potential security issue, so that they may take the appropriate steps to secure their sites. No warranties regarding the accuracy or usefulness of this information are expressed or implied. Please use this knowledge for good and not evil.

Posted by John on 2007-02-15