0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Drupal 7.31 CORE pre Auth SQL Injection Vulnerability
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Advisory: Drupal - pre-auth SQL Injection Vulnerability Release Date: 2014/10/15 Last Modified: 2014/10/15 Author: Stefan Horst Application: Drupal >= 7.0 <= 7.31 Severity: Full SQL injection, which results in total control and code execution of Website. Risk: Highly Critical Vendor Status: Drupal 7.32 fixed this bug Reference: http://www.sektioneins.com/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html Overview: Quote from http://www.drupal.org "Come for the software, stay for the community Drupal is an open source content management platform powering millions of websites and applications. It’s built, used, and supported by an active and diverse community of people around the world." During a code audit of Drupal extensions for a customer an SQL Injection was found in the way the Drupal core handles prepared statements. A malicious user can inject arbitrary SQL queries. And thereby control the complete Drupal site. This leads to a code execution as well. This vulnerability can be exploited by remote attackers without any kind of authentication required. Details: Drupal uses prepared statements in all its SQL queries. To handle IN statements there is an expandArguments function to expand arrays. protected function expandArguments(&$query, &$args) { $modified = FALSE; // If the placeholder value to insert is an array, assume that we need // to expand it out into a comma-delimited set of placeholders. foreach (array_filter($args, 'is_array') as $key => $data) { $new_keys = array(); foreach ($data as $i => $value) { // This assumes that there are no other placeholders that use the same // name. For example, if the array placeholder is defined as :example // and there is already an :example_2 placeholder, this will generate // a duplicate key. We do not account for that as the calling code // is already broken if that happens. $new_keys[$key . '_' . $i] = $value; } // Update the query with the new placeholders. // preg_replace is necessary to ensure the replacement does not affect // placeholders that start with the same exact text. For example, if the // query contains the placeholders :foo and :foobar, and :foo has an // array of values, using str_replace would affect both placeholders, // but using the following preg_replace would only affect :foo because // it is followed by a non-word character. $query = preg_replace('#' . $key . '\b#', implode(', ', array_keys($new_keys)), $query); // Update the args array with the new placeholders. unset($args[$key]); $args += $new_keys; $modified = TRUE; } return $modified; } The function assumes that it is called with an array which has no keys. Example: db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=>array('user1','user2'))); Which results in this SQL Statement SELECT * from users where name IN (:name_0, :name_1) with the parameters name_0 = user1 and name_1 = user2. The Problem occurs, if the array has keys, which are no integers. Example: db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=>array('test -- ' => 'user1','test' => 'user2'))); this results in an exploitable SQL query: SELECT * FROM users WHERE name = :name_test -- , :name_test AND status = 1 with parameters :name_test = user2. Since Drupal uses PDO, multi-queries are allowed. So this SQL Injection can be used to insert arbitrary data in the database, dump or modify existing data or drop the whole database. With the possibility to INSERT arbitrary data into the database an attacker can execute any PHP code through Drupal features with callbacks. Patch: $new_keys = array(); foreach (array_values($data) as $i => $value) { // This assumes that there are no other placeholders that use the same // name. For example, if the array placeholder is defined as :example // and there is already an :example_2 placeholder, this will generate // a duplicate key. We do not account for that as the calling code // is already broken if that happens. $new_keys[$key . '_' . $i] = $value; } Proof of Concept: SektionEins GmbH has developed a proof of concept, but was asked by Drupal to postpone the release. Disclosure Timeline: 16. Sep. 2014 - Notified the Drupal devs via security contact form 15. Okt. 2014 - Relase of Bugfix by Drupal core Developers Recommendation: It is recommended to upgrade to the latest version of Drupal. Grab your copy at: https://www.drupal.org/project/drupal # 0day.today [2024-11-16] #