Drupal MultiSite Search Module SQL Injection Vulnerability
Vulnerability ReportAuthor: Justin C. Klein Keane <firstname.lastname@example.org>
OSVDB: 79857 Reported: January 6, 2012
Description of Vulnerability:
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Multisite Search module (https://drupal.org/project/multisite_search) contains a SQL injection vulnerability due to the fact that it doesn't sanitize the user supplied table_prefix value during query construction in the multisite_search_cron() function called when the Drupal cron is run.
Drupal 6.22 with Multisite Search 6.x-2.2 was tested and shown to be vulnerable
Malicious users could execute arbitrary SQL commands in the context of the Drupal database user.
In order to execute arbitrary script injection malicious users must have the ability to administer multisite search.
Proof of Concept Exploit:
- Install and enable the Multisite search module
- Add a new site at ?q=admin/settings/multisite-search/add-site injecting arbitrary SQL in the 'Site table prefix' field
- Run cron by calling the URL ?q=admin/reports/status/run-cron
- Alternatively add the text "print_r($index_query);die();" on line 625 of multisite_search.module to abort cron execution and observe the query.
On 7 March, 2012 vendor released SA-CONTRIB-2012-031 which revoked support for this module. Module maintainers released version 6.x-2.3 on 21 June, 2012 which addresses the vulnerabilities. Users should upgrade to version 6.x-2.3 or later.