On Wed, Mar 14, 2012 at 2:39 PM, Ursu Mihail <[email protected]> wrote:
> Drupal 7.x Search Module - Full Path Disclosure > ============== > Summary > > Full path disclosure due to insufficient input validation in the search > module. > ============== > Description > > Performing a search with the "keys" parameter set as an array, an error > message shows the full path of the Drupal installation, leading to possible > further attacks. > For the error messages to be displayed, php.ini's display_errors must be > On. > Authentication: Not Needed > ============== > Mitigation > > Correct input validation for the "key" parameters > ============== > Exploit PoC > > example.com/?q=search&keys[]=securitate.md > ============== > Affected Versions > > Versions 7 < 7.12 are affected. > Not tested on 6. > ============== > Credits > > Ursu Mihail [ http://securitate.md ] > ============== > Disclosure Timeline > > Reported to vendor on 1 Mar 2012. > Response from vendor: > Disclosure of the path is not considered a security risk. > Drupal has a configuration setting which allows PHP warnings to be printed > to the screen for debugging purposes... For production websites, it is a > good idea to turn this off, and the messages will not be displayed. > ============== > Comments > > Unfortunately for them, many sites display errors in production. > ============== > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > btw. thats a pretty common problem. I also reported a similar issue a while back about https://dev.twitter.com/search/apachesolr_search/api?page[]=123 it seems that the apachesolr_search drupal module also vulnerable. :/ http://code.google.com/p/twitter-api/issues/detail?id=2271 -- Ferenc Kovács @Tyr43l - http://tyrael.hu
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
