Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28073
HistoryMay 14, 2012 - 12:00 a.m.

Drupal 7.14 <= Full Path Disclosure Vulnerability

2012-05-1400:00:00
vulners.com
68
JSON

#################################################
Drupal 7.14 <= Full Path Disclosure Vulnerability
#################################################

Discovered by: Jean Pascal Pereira <[email protected]>

About Drupal:

"Drupal is an open source content management platform powering millions of websites and
applications. It's built, used, and supported by an active and diverse community of people
around the world."

Drupal is used by common companies like Ing/Diba, Amnesty International and The White House.

#################################################

Issue: Full Path Disclosure

Risk-level: Medium

The remote attacker has the possibility to detect the full local path of drupal.
This information can be used for processing further attacks against the server.

In includes/bootstrap.inc, line 2695:

function request_path() {
static $path;

if (isset($path)) {
return $path;
}

if (isset($_GET['q'])) {
// This is a request with a ?q=foo/bar query string. $_GET['q'] is
// overwritten in drupal_path_initialize(), but request_path() is called
// very early in the bootstrap process, so the original value is saved in
// $path and returned in later calls.
$path = $_GET['q'];
}
elseif (isset($_SERVER['REQUEST_URI'])) {
// This request is either a clean URL, or 'index.php', or nonsense.
// Extract the path from REQUEST_URI.
$request_path = strtok($_SERVER['REQUEST_URI'], '?');
$base_path_len = strlen(rtrim(dirname($_SERVER['SCRIPT_NAME']), '\/'));
// Unescape and strip $base_path prefix, leaving q without a leading slash.
$path = substr(urldecode($request_path), $base_path_len + 1);
// If the path equals the script filename, either because 'index.php' was
// explicitly provided in the URL, or because the server added it to
// $_SERVER['REQUEST_URI'] even when it wasn't provided in the URL (some
// versions of Microsoft IIS do this), the front page should be served.
if ($path == basename($_SERVER['PHP_SELF'])) {
$path = '';
}
}
else {
// This is the front page.
$path = '';
}

// Under certain conditions Apache's RewriteRule directive prepends the value
// assigned to $_GET['q'] with a slash. Moreover we can always have a trailing
// slash in place, hence we need to normalize $_GET['q'].
$path = trim($path, '/');

return $path;
}

Exploit / Proof Of Concept:

http://localhost/?q[]=x

Hotfix:

Search for:

$path = trim($path, '/');

And add the following line above:

if(is_array($path)) { $path = $path[0]; }

#################################################

JSON