Lucene search
K

Drupal SA-CONTRIB-2009-036: Services Module Key-Based Access Bypass

🗓️ 11 Jun 2009 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 42 Views

The Drupal Services Module allows unauthenticated access to view or add key

Related
Refs
Code
ReporterTitlePublishedViews
Family
CVE
CVE-2009-2035
12 Jun 200917:28
cve
Cvelist
CVE-2009-2035
12 Jun 200917:28
cvelist
EUVD
EUVD-2009-2031
7 Oct 202500:30
euvd
NVD
CVE-2009-2035
12 Jun 200918:00
nvd
Prion
Code injection
12 Jun 200918:00
prion
RedhatCVE
CVE-2009-2035
21 May 202521:01
redhatcve
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(39365);
  script_version("1.23");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2009-2035");
  script_bugtraq_id(35292);
  script_xref(name:"SECUNIA", value:"33371");

  script_name(english:"Drupal SA-CONTRIB-2009-036: Services Module Key-Based Access Bypass");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
an authentication bypass vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Drupal running on the remote host includes the
third-party Services module, which offers a way to integrate external
applications with Drupal using XMLRPC, SOAP, REST, AMF, or other such
interfaces. It is currently configured to use a validation token, or
'key', for authentication, and contains a flaw that allows an
unauthenticated, remote attacker to view or add keys. Depending on
access control checks for the underlying services exposed, an attacker
may be able to access services that he would not normally be able to.");
  script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/node/488004");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Services 6.x-0.14 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/06/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/06/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/06/11");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:drupal");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:services_module_for_drupal");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2009-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("drupal_detect.nasl");
  script_require_keys("installed_sw/Drupal", "www/PHP");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

app = "Drupal";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port
);

dir = install['path'];
install_url = build_url(qs:dir, port:port);

# Try to pull up form for adding a key.
url = "/admin/build/services/keys/add";

res = http_send_recv3(method:"GET", item:dir+url, port:port, exit_on_fail:TRUE);

# There's a problem if we see the expected contents.
if (
  'id="services-admin-keys-form"' >< res[2] ||
  'id="edit-submit" value="Create key"' >< res[2]
)
{
  output = strstr(res[2], 'id="services-admin-keys-form"');
  security_report_v4(
    port        : port,
    severity    : SECURITY_WARNING,
    generic     : TRUE,
    request     : make_list(install_url + url),
    output      : chomp(output)
  );
  exit(0);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

11 Apr 2022 00:00Current
5.6Medium risk
Vulners AI Score5.6
CVSS 26.4
EPSS0.01222
42