Drupal Local File Inclusion

`Hi guys,  
  
I was testing Acunetix WVS (with AcuSensor enabled) on Drupal  
(http://www.drupal.org) and the scanner found a possible File Inclusion  
vulnerability. The vulnerability is located in the file  
"includes\theme.inc" on line 1011.  
  
Vulnerable code:  
function theme_render_template($template_file, $variables) {  
extract($variables, EXTR_SKIP); // Extract the variables to a local  
namespace  
ob_start(); // Start output buffering  
include "./$template_file"; // Include the template file <<< here  
is the vulnerability  
$contents = ob_get_contents(); // Get the contents of the buffer  
ob_end_clean(); // End buffering and discard  
return $contents; // Return the contents  
}  
  
Basically, by manipulating the q variable, it's possible to partially  
control the include path. The GET variable q was set to  
"start/../../xxx\..\..\end" and it got partially sanitized.  
It reached the include function as  
"./themes/garland/page-start-..-..-xxx\..\..\end.tpl.php".  
All the slashes were replaced with "-".  
  
Even more, we cannot fully control the include path, the user input is  
automatically prefixed with "./themes/garland/page-".  
  
So, this vulnerability doesn't look exploitable, right?  
Actually, this is exploitable, but only on Windows systems.  
  
On Unix systems, something like "cat  
/var/www/some_invalid_filename/../../../../../etc/passwd" doesn't work  
because some_invalid_filename is not a directory.  
It will not work even if you have a valid filename in there. In my  
opinion this is the expected behavior.  
  
However, on Windows things are differently.  
  
Executing the command "type  
c:\windows\sssssssssssss\..\..\..\..\..\boot.ini" will return the  
contents of  
c:\boot.ini even if sssssssssssss is not a directory and it doesn't even  
exists as a filename.  
  
PHP option magic_quotes_gpc is turned OFF in Drupal, so it's possible to  
use %00 to terminate the string.  
Therefore, if you set q to something like  
q=\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini%00 it's possible to  
include the contents of boot.ini on Windows systems (if the web server  
is installed on the C: partition).  
  
A bit more information is available in our blog at  
http://www.acunetix.com/blog/websecuritynews/drupal-local-file-inclusion-vulnerability/.  
  
Drupal security team was notified about this vulnerability on 29 January  
2009 and they've released a fix on 25 February 2009.  
  
The fix for Drupal versions 5.x is available at  
http://drupal.org/node/384024.  
And for Drupal versions 6.x can be found at http://drupal.org/node/383724.  
  
Thanks and have a nice day,  
--   
Bogdan Calin - [email protected]  
CTO  
Acunetix Ltd. - http://www.acunetix.com  
Acunetix Web Security Blog - http://www.acunetix.com/blog  
`