Drupal 7.x Search Module - Full Path Disclosure

[Ursu Mihail <mishka.ursu () yahoo com>]

Drupal 7.x Search Module - Full Path Disclosure
==============
Summary

Full path disclosure due to insufficient input validation in the search module.
==============
Description

Performing a search with the "keys" parameter set as an array, an error message shows the full path of the Drupal 
installation, leading to possible further attacks.
For the error messages to be displayed, php.ini's display_errors must be On.
Authentication: Not Needed
==============
Mitigation

Correct input validation for the "key" parameters
==============
Exploit PoC

example.com/?q=search&keys[]=securitate.md
==============
Affected Versions

Versions 7 < 7.12 are affected.
Not tested on 6.
==============
Credits

Ursu Mihail [ http://securitate.md ]
==============
Disclosure Timeline

Reported to vendor on 1 Mar 2012.
Response from vendor:
Disclosure of the path is not considered a security risk.
Drupal has a configuration setting which allows PHP warnings to be printed to the screen for debugging purposes... For 
production websites, it is a good idea to turn this off, and the messages will not be displayed.
==============
Comments

Unfortunately for them, many sites display errors in production.
==============

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/