| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 02 Jul 2010 08:10:20 -0400
From: "Justin C. Klein Keane" <justin@...irish.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Drupal Views Module Information Disclosure
Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Details of this vulnerability are also available at:
http://www.madirish.net/?article=465
Description of Vulnerability:
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules.
The Drupal Views (http://drupal.org/project/views) module "provides a
flexible method for Drupal site designers to control how lists and
tables of content (nodes in Views 1, almost anything in Views 2) are
presented." The Views module contains an information disclosure
vulnerability due to the fact that it allows access to user profile data.
Systems affected:
Drupal 6.16 with Views 6.x-2.9, 6.x-2.10 and 6.x-2.11 was tested and
shown to be vulnerable.
Impact:
Information disclosure vulnerabilities such as this could allow
malicious attackers to harvest username data in order to launch a
targeted brute force attack against site users. This vulnerability
exposes actual login names, so defensive strategies to protect usernams
(such as using aliases, or the RealName
(http://drupal.org/project/realname) module) cannot protect against this
exposure. This method is particularly useful for finding the Drupal
super user account (id 1) and other accounts that might not be exposed
anywhere on the public facing site. This technique can be combined with
brute force attack techniques described at
http://madirish.net/index.html?article=443 and
http://madirish.net/index.html?article=464 to gain unauthorized access.
Mitigating factors:
Access content permission is required, but this permission is usually
granted to anonymous users.
Proof of Concept:
1. Install Drupal
2. Install and enable the Views module
3. Browse the site URL ?q=admin/views/ajax/autocomplete/user/a to view
all users whose name starts with the letter 'a'
4. Cycle through all letters to reveal complete list of site users
Technical details:
The Views module fails to provide access controls in the
views_ajax_autocomplete_user() function.
Patch for Views 6.x-2.8
Applying the following patch mitigates these threats in Drupal 6.16 with
Views 6.x-2.8
- --- views/includes/ajax.inc 2010-04-02 15:36:34.117075835 -0400
+++ views/includes/ajax.inc.fixed 2010-04-02 15:37:51.727276610 -0400
@@ -159,7 +159,7 @@ function views_ajax_autocomplete_user($s
// Fetch last tag
$last_string = trim(array_pop($array));
$matches = array();
- --- if ($last_string != '') {
+++ if ($last_string != '' && user_access('access user profiles')) {
$prefix = count($array) ? implode(', ', $array) . ', ' : '';
if (strpos('anonymous', strtolower($last_string)) !== FALSE) {
Vendor response:
Vendor was notified April 2, 2010 of this issue. Three versions of
Views have been released since. On July 1, 2010 Drupal security decided
that "the security team does not consider this a vulnerability."
- --
Justin C. Klein Keane
http://www.MadIrish.net
The digital signature on this e-mail can be verified using
the key at http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iPsEAQECAAYFAkwt1ywACgkQkSlsbLsN1gDR1Ab2IT1bI4+Q1cPN2rztJE6lEYTw
fxTSv4OsB0QrZckVtBKV/f70M2nU2ybohJRBVOyQLjcSwUVACmfdcZ6XPtn5fWi5
jQ4++TLEGc1pOD2ZvF1JUzroSXBpMFTfNr3H79rYQtuZM1fD63tF/KKVjvnnpM+V
ZEpDeLZA/kDy9Yg/u3rumJzUYVzJbyk9Z6kwVWqcNDx+utlaq6zPwC+aWM+pWFXR
NiMw8NVlcUKstfvQkEnR5LhX/91ct+yWsRLFP3Z3E8MgCffHsp0JE2+7rNzuPdlp
3GfAaEOGTzAKN7SD4g==
=wmQ3
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists