function theme_render_template($template_file, $variables) {
extract($variables, EXTR_SKIP); // Extract the variables to a local
namespace
ob_start(); // Start output buffering
include "./$template_file"; // Include the template file <<< here
is the vulnerability
$contents = ob_get_contents(); // Get the contents of the buffer
ob_end_clean(); // End buffering and discard
return $contents; // Return the contents
}
Basically, by manipulating the q variable, it's possible to partially control the include path. The GET variable q was set to "start/../../xxx\..\..\end" and it got partially sanitized. It reached the include function as "./themes/garland/page-start-..-..-xxx\..\..\end.tpl.php". All the slashes were replaced with "-".
Even more, we cannot fully control the include path, the user input is automatically prefixed with "./themes/garland/page-".
So, this vulnerability doesn't look exploitable, right? Actually, this is exploitable, but only on Windows systems.
So, this vulnerability doesn't look exploitable, right? Actually, this is exploitable, but only on Windows systems.
On Unix systems, something like "cat /var/www/some_invalid_filename/../../../../../etc/passwd" doesn't work because some_invalid_filename is not a directory. It will not work even if you have a valid filename in there. In my opinion this is the expected behavior.
However, on Windows things are differently.
Executing the command "type c:\windows\sssssssssssss\..\..\..\..\..\boot.ini" will return the contents of c:\boot.ini even if sssssssssssss is not a directory and it doesn't even exists as a filename.
PHP option magic_quotes_gpc is turned OFF in Drupal, so it's possible to use to terminate the string. Therefore, if you set q to something like q=\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini it's possible to include the contents of boot.ini on Windows systems (if the web server is installed on the C: partition).
A bit more information is available in our blog at http://www.acunetix.com/blog/websecuritynews/drupal-local-file-inclusion-vulnerability/.
Drupal security team was notified about this vulnerability on 29 January 2009 and they've released a fix on 25 February 2009.
The fix for Drupal versions 5.x is available at http://drupal.org/node/384024.
And for Drupal versions 6.x can be found at http://drupal.org/node/383724.
However, on Windows things are differently.
Executing the command "type c:\windows\sssssssssssss\..\..\..\..\..\boot.ini" will return the contents of c:\boot.ini even if sssssssssssss is not a directory and it doesn't even exists as a filename.
PHP option magic_quotes_gpc is turned OFF in Drupal, so it's possible to use to terminate the string. Therefore, if you set q to something like q=\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini it's possible to include the contents of boot.ini on Windows systems (if the web server is installed on the C: partition).
A bit more information is available in our blog at http://www.acunetix.com/blog/websecuritynews/drupal-local-file-inclusion-vulnerability/.
Drupal security team was notified about this vulnerability on 29 January 2009 and they've released a fix on 25 February 2009.
The fix for Drupal versions 5.x is available at http://drupal.org/node/384024.
And for Drupal versions 6.x can be found at http://drupal.org/node/383724.
Posts
No comments:
Post a Comment