Drupal MultiSite Search Module SQL Injection Vulnerability
Vulnerability Report
Author: Justin C. Klein Keane <justin@madirish.net>CVE: CVE-2012-1656
OSVDB: 79857 Reported: January 6, 2012
Description of Vulnerability:
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Multisite Search module (https://drupal.org/project/multisite_search) contains a SQL injection vulnerability due to the fact that it doesn't sanitize the user supplied table_prefix value during query construction in the multisite_search_cron() function called when the Drupal cron is run.
Systems affected:
Drupal 6.22 with Multisite Search 6.x-2.2 was tested and shown to be vulnerable
Impact
Malicious users could execute arbitrary SQL commands in the context of the Drupal database user.
Mitigating factors:
In order to execute arbitrary script injection malicious users must have the ability to administer multisite search.
Proof of Concept Exploit:
- Install and enable the Multisite search module
- Add a new site at ?q=admin/settings/multisite-search/add-site injecting arbitrary SQL in the 'Site table prefix' field
- Run cron by calling the URL ?q=admin/reports/status/run-cron
- Alternatively add the text "print_r($index_query);die();" on line 625 of multisite_search.module to abort cron execution and observe the query.
Vendor Response:
On 7 March, 2012 vendor released SA-CONTRIB-2012-031 which revoked support for this module. Module maintainers released version 6.x-2.3 on 21 June, 2012 which addresses the vulnerabilities. Users should upgrade to version 6.x-2.3 or later.