exploit the possibilities

Drupal Core 6.x / 7.x Access Bypass / Code Execution

Drupal Core 6.x / 7.x Access Bypass / Code Execution
Posted Dec 20, 2012
Authored by Derek Wright, Damien Tournoud, Simon Rycroft | Site drupal.org

Drupal core versions 6.x and 7.x suffer from access bypass and arbitrary PHP code execution vulnerabilities.

tags | advisory, arbitrary, php, vulnerability, code execution
MD5 | 271c0b91aa455cc4ea126db7a1264fab

Drupal Core 6.x / 7.x Access Bypass / Code Execution

Change Mirror Download
View online: http://drupal.org/SA-CORE-2012-004

* Advisory ID: DRUPAL-SA-CORE-2012-004
* Project: Drupal core [1]
* Version: 6.x, 7.x
* Date: 2012-December-19
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Access bypass, Arbitrary PHP code execution

-------- DESCRIPTION
---------------------------------------------------------

Multiple vulnerabilities were fixed in the supported Drupal core versions 6
and 7.

.... Access bypass (User module search - Drupal 6 and 7)

A vulnerability was identified that allows blocked users to appear in user
search results, even when the search results are viewed by unprivileged
users.

This vulnerability is mitigated by the fact that the default Drupal core user
search results only display usernames (and disclosure of usernames is not
considered a security vulnerability [3]). However, since modules or themes
may override the search results to display more information from each user's
profile, this could result in additional information about blocked users
being disclosed on some sites.

CVE: Requested.

.... Access bypass (Upload module - Drupal 6)

A vulnerability was identified that allows information about uploaded files
to be displayed in RSS feeds and search results to users that do not have the
"view uploaded files" permission.

This issue affects Drupal 6 only.

CVE: Requested.

.... Arbitrary PHP code execution (File upload modules - Drupal 6 and 7)

Drupal core's file upload feature blocks the upload of many files that can be
executed on the server by munging the filename. A malicious user could name a
file in a manner that bypasses this munging of the filename in Drupal's input
validation.

This vulnerability is mitigated by several factors: The attacker would need
the permission to upload a file to the server. Certain combinations of PHP
and filesystems are not vulnerable to this issue, though we did not perform
an exhaustive review of the supported PHP versions. Finally: the server would
need to allow execution of files in the uploads directory. Drupal core has
protected against this with a .htaccess file protection in place from
SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache
configurations [4]. Users of IIS should consider updating their web.config
[5]. Users of Nginx should confirm that only the index.php and other known
good scripts are executable. Users of other webservers should review their
configuration to ensure the goals are achieved in some other way.

CVE: Requested.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

* /A CVE identifier [6] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

* Drupal core 6.x versions prior to 6.27.
* Drupal core 7.x versions prior to 7.18.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

* If you use Drupal 6.x, upgrade to Drupal core 6.27 [7].
* If you use Drupal 7.x, upgrade to Drupal core 7.18 [8].

Also see the Drupal core [9] project page.

-------- REPORTED BY
---------------------------------------------------------

* The access bypass issue in the User module search results was reported by
Derek Wright [10] of the Drupal Security Team.
* The access bypass issue in the Drupal 6 Upload module was reported by
Simon Rycroft [11], and by Damien Tournoud [12] of the Drupal Security
Team.
* The arbitrary code execution issue was reported by Amit Asaravala [13].

-------- FIXED BY
------------------------------------------------------------

* The access bypass issue in the User module search results was fixed by
Derek Wright [14], Ivo Van Geertruyen [15], Peter Wolanin [16], and David
Rothstein [17], all members of the Drupal Security Team.
* The access bypass issue in the Drupal 6 Upload module was fixed by
Michaël Dupont [18], and by Fox [19] and David Rothstein [20] of the
Drupal Security Team.
* The arbitrary code execution issue was fixed by Nathan Haug [21] and
Justin Klein-Keane [22], and by John Morahan [23] and Greg Knaddison [24]
of the Drupal Security team.

-------- COORDINATED BY
------------------------------------------------------

* Jeremy Thorson [25] QA/Testing infrastructure
* Ben Jeavons [26] of the Drupal Security Team
* David Rothstein [27] of the Drupal Security Team
* Gábor Hojtsy [28] of the Drupal Security Team
* Greg Knaddison [29] of the Drupal Security Team
* Fox [30] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [31].

Learn more about the Drupal Security team and their policies [32], writing
secure code for Drupal [33], and securing your site [34].


[1] http://drupal.org/project/drupal
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/node/1004778
[4] http://drupal.org/node/65409
[5] http://drupal.org/node/1543392
[6] http://cve.mitre.org/
[7] http://drupal.org/drupal-6.27-release-notes
[8] http://drupal.org/drupal-7.18-release-notes
[9] http://drupal.org/project/drupal
[10] http://drupal.org/user/46549
[11] http://drupal.org/user/151544
[12] http://drupal.org/user/22211
[13] http://drupal.org/user/181407
[14] http://drupal.org/user/46549
[15] http://drupal.org/user/383424
[16] http://drupal.org/user/49851
[17] http://drupal.org/user/124982
[18] http://drupal.org/user/400288
[19] http://drupal.org/user/426416
[20] http://drupal.org/user/124982
[21] http://drupal.org/user/35821
[22] http://drupal.org/user/302225
[23] http://drupal.org/user/58170
[24] http://drupal.org/user/36762
[25] http://drupal.org/user/148199
[26] http://drupal.org/user/91990
[27] http://drupal.org/user/124982
[28] http://drupal.org/user/4166
[29] http://drupal.org/user/36762
[30] http://drupal.org/user/426416
[31] http://drupal.org/contact
[32] http://drupal.org/security-team
[33] http://drupal.org/writing-secure-code
[34] http://drupal.org/security/secure-configuration

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close