Full Disclosure mailing list archives
Drupal Views Module Information Disclosure Vulnerability
From: "Justin C. Klein Keane" <justin () madirish net>
Date: Fri, 02 Jul 2010 08:10:20 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Details of this vulnerability are also available at: http://www.madirish.net/?article=465 Description of Vulnerability: Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Drupal Views (http://drupal.org/project/views) module "provides a flexible method for Drupal site designers to control how lists and tables of content (nodes in Views 1, almost anything in Views 2) are presented." The Views module contains an information disclosure vulnerability due to the fact that it allows access to user profile data. Systems affected: Drupal 6.16 with Views 6.x-2.9, 6.x-2.10 and 6.x-2.11 was tested and shown to be vulnerable. Impact: Information disclosure vulnerabilities such as this could allow malicious attackers to harvest username data in order to launch a targeted brute force attack against site users. This vulnerability exposes actual login names, so defensive strategies to protect usernams (such as using aliases, or the RealName (http://drupal.org/project/realname) module) cannot protect against this exposure. This method is particularly useful for finding the Drupal super user account (id 1) and other accounts that might not be exposed anywhere on the public facing site. This technique can be combined with brute force attack techniques described at http://madirish.net/index.html?article=443 and http://madirish.net/index.html?article=464 to gain unauthorized access. Mitigating factors: Access content permission is required, but this permission is usually granted to anonymous users. Proof of Concept: 1. Install Drupal 2. Install and enable the Views module 3. Browse the site URL ?q=admin/views/ajax/autocomplete/user/a to view all users whose name starts with the letter 'a' 4. Cycle through all letters to reveal complete list of site users Technical details: The Views module fails to provide access controls in the views_ajax_autocomplete_user() function. Patch for Views 6.x-2.8 Applying the following patch mitigates these threats in Drupal 6.16 with Views 6.x-2.8 - --- views/includes/ajax.inc 2010-04-02 15:36:34.117075835 -0400 +++ views/includes/ajax.inc.fixed 2010-04-02 15:37:51.727276610 -0400 @@ -159,7 +159,7 @@ function views_ajax_autocomplete_user($s // Fetch last tag $last_string = trim(array_pop($array)); $matches = array(); - --- if ($last_string != '') { +++ if ($last_string != '' && user_access('access user profiles')) { $prefix = count($array) ? implode(', ', $array) . ', ' : ''; if (strpos('anonymous', strtolower($last_string)) !== FALSE) { Vendor response: Vendor was notified April 2, 2010 of this issue. Three versions of Views have been released since. On July 1, 2010 Drupal security decided that "the security team does not consider this a vulnerability." - -- Justin C. Klein Keane http://www.MadIrish.net The digital signature on this e-mail can be verified using the key at http://www.madirish.net/gpgkey -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPsEAQECAAYFAkwt1ywACgkQkSlsbLsN1gDR1Ab2IT1bI4+Q1cPN2rztJE6lEYTw fxTSv4OsB0QrZckVtBKV/f70M2nU2ybohJRBVOyQLjcSwUVACmfdcZ6XPtn5fWi5 jQ4++TLEGc1pOD2ZvF1JUzroSXBpMFTfNr3H79rYQtuZM1fD63tF/KKVjvnnpM+V ZEpDeLZA/kDy9Yg/u3rumJzUYVzJbyk9Z6kwVWqcNDx+utlaq6zPwC+aWM+pWFXR NiMw8NVlcUKstfvQkEnR5LhX/91ct+yWsRLFP3Z3E8MgCffHsp0JE2+7rNzuPdlp 3GfAaEOGTzAKN7SD4g== =wmQ3 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Drupal Views Module Information Disclosure Vulnerability Justin C. Klein Keane (Jul 02)