Drupal Ajax Checklist Module SQL Injection Vulnerability

30 November -0001


Drupal (http://drupal.org) is a robust content management system (CMS) that provides extensibility through hundreds of third party modules. While the security of Drupal core modules is vetted by a central security team, third party modules are not reviewed for security.

The Ajax Checklist module (http://drupal.org/project/ajax_checklist), created by AsciiKewl (http://drupal.org/user/147292) is designed to allow users to input dynamic checklists into nodes. These checklists can then be checked or unchecked with state tracked via AJAX calls to pages that store the state in the database. Due to poor input validation on the AJAX handling pages, this module is vulnerable to SQL injection attacks. Depending on configuration, these attacks could be carried out by remote unauthenticated users. Due to it's data driven design, SQL injection attacks pose a critical threat to Drupal installations and their hosts and could lead to full control over the webserver process.

The critical flaw exists within the ajax_checklist_save() function (lines 61-84 of ajax_checklist.module). This function accepts three parameters ($nid,$qid, and $state), all of which can be manipulated via a properly crafted URL. These parameters are then used to craft SQL select, insert, and update statements without first being sanitized.

Vulnerable Versions

5.x-1.0 dated 1007-Aug-18 was tested and shown vulnerable

Testing for Vulnerability

Calling the URL:


will cause the administrator password to be inserted into the ajax_checkbox table in the Drupal database:

mysql> select * from ajax_checklist;
| nid | user | qid                              | state |
|   1 |    0 | 2                                |     2 |
|   3 |    3 | 4202b5f87a68583e20aae6917c8c33d1 |     3 |
|   4 |    4 | 4                                |     3 |


Highly critical. Depending on configuration, this vulnerability could allow attackers to compromise the Drupal administrator account, an attack that can lead to web server and even host compromise since the administrator can configure file uploads and alter any content on the Drupal installation.

Determining Version

The ajax_checklist.info page for vulnerable versions displays the following information:

; $Id: ajax_checklist.info,v 1.1 2007/08/16 06:39:34 asciikewl Exp $
name = Ajax Checklist
description = Creates filter-driven checklists with ajax updating to the
package = Other
version = 5.x-0.1

; Information added by drupal.org packaging script on 2007-08-18
version = "5.x-1.0"
project = "ajax_checklist"
datestamp = "1187416501"

Determining version information on Drupal sites is trivial in many cases (ref http://www.madirish.net/?article=214).

Vendor Response

Drupal security team contacted September 17, 2008. A security patch and announcement should be available Wednesday September 24, 2008.