Twenty Year Anniversary

Drupal Realname User Reference Information Disclosure

Drupal Realname User Reference Information Disclosure
Posted Feb 16, 2010
Authored by Martin Barbella

The Realname User Reference widget in Drupal version 6.x-1.0 allows any user with access content permission to mine user name and real names from accounts.

tags | exploit, info disclosure
MD5 | facc4370bb0f3becb277a76265cba7e9

Drupal Realname User Reference Information Disclosure

Change Mirror Download
Information disclosure vulnerability in Drupal's Realname User Reference
Widget contributed module (version 6.x-1.0)

Discovered by Martin Barbella <barbella@sas.upenn.edu>

Description of Vulnerability:
-----------------------------
Drupal is a free software package that allows an individual or a
community of users to easily publish, manage and organize a wide variety
of content on a website (http://drupal.org/about).

The Realname CCK User Reference Widget module adds a new widget to the
User Reference CCK field type that uses the Realnames for autocompletion
(http://drupal.org/project/realname_userreference).

Only the access content permission is needed to access the page which
displays the user names and real names for users, used by the
autocompletion widget, resulting in an information disclosure
vulnerability.

Systems affected:
-----------------
This has been confirmed in version 6.x-1.0 of the Realname User
Reference Widget module.

Impact:
-------
This would allow an attacker to collect user names for brute force
attacks, or real names of users for targeted phishing.

Mitigating factors:
-------------------
A user must have the access content permission to exploit this
vulnerability, though in most cases even anonymous users would have this
permission.

Proof of concept:
-----------------
1. Install the module and its dependencies
2. Configure Realname
3. As any user with access content, visit
realnameuserreference/autocomplete or
realnameuserreference/autocomplete/<search terms>
4. Note that real names and usernames can be gathered from the output

Timeline:
---------
2010-02-01 - Drupal Security notified
2010-02-16 - Still no response from Drupal Security
2010-02-16 - Public disclosure

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    10 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close