Open source software security

Drupal U Create 6.x-1.0-beta4 Arbitrary Redirect Vulnerability

18 January 2012
The Drupal U Create module (https://drupal.org/project/ucreate) contains an arbitrary redirection vulnerability due to the fact that unchecked URL variables are used to compose link destinations in administrative screens.

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal U Create module "allow[s] non-admin users on your site to create new users. The module automatically sends an invite email to new users with login information. " The U Create module (https://drupal.org/project/ucreate) contains an arbitrary redirection vulnerability due to the fact that unchecked URL variables are used to compose link destinations in administrative screens.

Systems affected:

Drupal 6.22 with U Create 6.x-1.0-beta4 was tested and shown to be vulnerable

Impact

Users could be tricked into viewing links to block site users that contained malicious URL variables. If users followed these links and clicked on the 'Cancel' link to abort blocking the users could be redirected to arbitrary sites. These could potentially be malicious sites hosting malware or posing as legitimate sites (including the target site) to harvest credentials.

Mitigating factors:

In order to exploit this vulnerability site users must be tricked into visiting a specific link in their own site and then click on the 'Cancel' link.

Proof of Concept Exploit:

  1. Install and enable the U Create and it's dependent OG (Organic Groups) module
  2. Visit the URL ?q=user/[X]/block&destination=http://www.madirish.net where [X] is the uid of a valid site user
  3. Click on the 'Cancel' link to be redirected to the MadIrish.net site

Vendor Response:

This module is in beta and not supported by the Drupal security team (ref: https://drupal.org/security-advisory-policy) Vulnerability was reported publicly to the module maintainer via the module issue queue (ref: https://drupal.org/node/1409166).