Open source software security

Drupal Ctools 6.x-1.3 Multiple Vulnerabilities

30 November -0001

CVE-2010-1546, CVE-2010-1547 and CVE-2010-1548

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through hundreds of third party modules. The Chaos tool suite module (http://drupal.org/project/ctools) suffers from an arbitrary PHP code execution vulnerability (CVE-2010-1546).

Chaos tool suite also fails to perform proper forms checking for linked functionality in administrative forms which results in cross site request forgery (XSRF) vulnerabilities (CVE-2010-1547).

Chaos tools suite also fails to perform status checking when implementing auto complete functionality allowing for bypass of node publish settings or other protections such as those imposed by the Protected Node module (http://drupal.org/project/protected_node) (CVE-2010-1548).

Chaos tools suite also contains an unexploitable (as written) SQL injection vulnerability.

Systems affected:

Drupal 6.16 with Ctools 6.x-1.3 was tested and shown to be vulnerable

Impact

Authenticated users with 'administer page manager' permissions can execute arbitrary PHP code, which could lead to compromise of the web server process. Users with 'access content' permission can view titles of unpublished nodes. Attackers could cause authenticated users to alter configuration using XSRF.

Mitigating factors:

Attacker must be able to access the Pages administration forms, which is possible for authenticated users with the 'administer page manager' permission.

Technical discussion and proof of concept:

The page importer fails to sanitize user input before use in an eval() statement on line 1279 of the page_manager/plugins/tasks/page.admin.inc file. This vulnerability can be exploited via access to the page importer form.

Proof of concept:

  1. Install Drupal 6.16 and Ctools 6.x-1.3
  2. Navigate to the Import Page form at ?q=admin/build/pages/import
  3. Insert an arbitrary page name and viable path
  4. Enter arbitrary PHP code in the text area labeled "Paste page code here:" For example entering "touch ('/var/www/html/drupal-6.16/sites/default/files/foo.bar');" in the text area will cause the server to create a file at the path specified assuming the web server has write permissions at that location.

The page variant importer fails to sanitize user supplied PHP code before use in line 1413 of page_manager.admin.inc. The Clone function is likely also affected but no PoC is provided (see line 1563 in page_manager.admin.inc.

Proof of concept:

  1. Same as above
  2. http://172.16.46.129/drupal-6.16/admin/build/pages/edit/contact_user
  3. Click the 'Import variant' tab
  4. Enter an arbitrary variant name
  5. Enter PHP code into the text area, such as "phpinfo();die();"
  6. Click 'Update' to view the resulting PHP code output

The Pages list at ?q=/admin/build/pages provides a list of pages with an 'enable' or 'disable' link in the table display depending on the status of the page. This value can be changed with a URL request rather than a form post, and no token is provided to prevent against XSRF.

Proof of concept:

  1. Same as above
  2. Log in as a user with privileges to administer pages
  3. Paste the URL ?q=admin/build/pages/nojs/disable/contact_user into the URL to disable the contact_user page.

The Chaos Tools suite fails to properly enforce permissions resulting in an information disclosure vulnerability.

Proof of concept:

  1. Same as above
  2. Create a new page with the title 'Unpublished page' and uncheck the 'Published' box in 'Publishing options' before saving
  3. Call the URL ?q=ctools/autocomplete/node/u to view the node title and associated NID

The Chaos tools suite has an unexploitable SQL injection vulnerability in ctools/includes/export.inc in the function ctools_export_load_object because it fails to sanitize the $table parameter before use in a SQL query on line 78. The module itself does not allow user supplied input to this parameter but it is possible that modules which extend ctools could do so.

Vendor response:

Upgrade to the latest version of Ctools. Ref http://drupal.org/node/803944.