Drupal MultiSite Search Module SQL Injection Vulnerability

7 March 2012

Vulnerability Report

Author: Justin C. Klein Keane <justin@madirish.net>
CVE: CVE-2012-1656
OSVDB: 79857

Reported: January 6, 2012

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Multisite Search module (https://drupal.org/project/multisite_search) contains a SQL injection vulnerability due to the fact that it doesn't sanitize the user supplied table_prefix value during query construction in the multisite_search_cron() function called when the Drupal cron is run.

Systems affected:

Drupal 6.22 with Multisite Search 6.x-2.2 was tested and shown to be vulnerable

Impact

Malicious users could execute arbitrary SQL commands in the context of the Drupal database user.

Mitigating factors:

In order to execute arbitrary script injection malicious users must have the ability to administer multisite search.

Proof of Concept Exploit:

  1. Install and enable the Multisite search module
  2. Add a new site at ?q=admin/settings/multisite-search/add-site injecting arbitrary SQL in the 'Site table prefix' field
  3. Run cron by calling the URL ?q=admin/reports/status/run-cron
  4. Alternatively add the text "print_r($index_query);die();" on line 625 of multisite_search.module to abort cron execution and observe the query.

Vendor Response:

On 7 March, 2012 vendor released SA-CONTRIB-2012-031 which revoked support for this module. Module maintainers released version 6.x-2.3 on 21 June, 2012 which addresses the vulnerabilities. Users should upgrade to version 6.x-2.3 or later.