exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Drupal Local File Inclusion

Drupal Local File Inclusion
Posted Feb 27, 2009
Authored by Bogdan Calin | Site acunetix.com

Drupal suffers from a local file inclusion when used on Windows.

tags | exploit, local, file inclusion
systems | windows
SHA-256 | 9cd8ddc53a2fc1d8ef6a9b1fa8eaf39c6f24a1d28ccd8585ce811951ee8eda6f

Drupal Local File Inclusion

Change Mirror Download
Hi guys,

I was testing Acunetix WVS (with AcuSensor enabled) on Drupal
(http://www.drupal.org) and the scanner found a possible File Inclusion
vulnerability. The vulnerability is located in the file
"includes\theme.inc" on line 1011.

Vulnerable code:
function theme_render_template($template_file, $variables) {
extract($variables, EXTR_SKIP); // Extract the variables to a local
namespace
ob_start(); // Start output buffering
include "./$template_file"; // Include the template file <<< here
is the vulnerability
$contents = ob_get_contents(); // Get the contents of the buffer
ob_end_clean(); // End buffering and discard
return $contents; // Return the contents
}

Basically, by manipulating the q variable, it's possible to partially
control the include path. The GET variable q was set to
"start/../../xxx\..\..\end" and it got partially sanitized.
It reached the include function as
"./themes/garland/page-start-..-..-xxx\..\..\end.tpl.php".
All the slashes were replaced with "-".

Even more, we cannot fully control the include path, the user input is
automatically prefixed with "./themes/garland/page-".

So, this vulnerability doesn't look exploitable, right?
Actually, this is exploitable, but only on Windows systems.

On Unix systems, something like "cat
/var/www/some_invalid_filename/../../../../../etc/passwd" doesn't work
because some_invalid_filename is not a directory.
It will not work even if you have a valid filename in there. In my
opinion this is the expected behavior.

However, on Windows things are differently.

Executing the command "type
c:\windows\sssssssssssss\..\..\..\..\..\boot.ini" will return the
contents of
c:\boot.ini even if sssssssssssss is not a directory and it doesn't even
exists as a filename.

PHP option magic_quotes_gpc is turned OFF in Drupal, so it's possible to
use %00 to terminate the string.
Therefore, if you set q to something like
q=\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini%00 it's possible to
include the contents of boot.ini on Windows systems (if the web server
is installed on the C: partition).

A bit more information is available in our blog at
http://www.acunetix.com/blog/websecuritynews/drupal-local-file-inclusion-vulnerability/.

Drupal security team was notified about this vulnerability on 29 January
2009 and they've released a fix on 25 February 2009.

The fix for Drupal versions 5.x is available at
http://drupal.org/node/384024.
And for Drupal versions 6.x can be found at http://drupal.org/node/383724.

Thanks and have a nice day,
--
Bogdan Calin - bogdan@acunetix.com
CTO
Acunetix Ltd. - http://www.acunetix.com
Acunetix Web Security Blog - http://www.acunetix.com/blog
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close