Heine

  • Home
  • Drupal
  • About
Home

ZeroDayScan - Full path disclosure bug in Drupal 6.16 (0day)

Heine —Wed, 2010/04/28 - 22:01

We recently received a report by "ZeroDayScan", about a "Full path disclosure bug in Drupal 6.16".

You can read the story @ http://blog.zerodayscan.com/2010/04/full-path-disclosure-bug-in-drupal-616.html. As my short comment was removed from the post, I have to resort to a blogpost. My apologies for polluting the Planet.

Summary of the issue: If you set error reporting to the default value "Write errors to the log and to the screen", the installation path is displayed on the ...*drumroll*... screen.

Which is of course the point.

Calling the setting a "workaround", the default a "bug" and a "vulnerability" is either idiocy, or insincere. Now that comments were removed, we know. Insincere and at the same time a great way to highlight the impotence of the ZeroDayScan scanner.

My last message to ZeroDayScan: If there's an SQL injection on a Drupal site; you can simply take over the site as uid 1 (root); no need to find out the full path via an obscure error message.

  • Drupal
  • Security
  • Planet Drupal
  • Clowns

Comments

(x-posted to the issue:

Submitted by entendu (not verified) on Thu, 2010/04/29 - 00:00

(x-posted to the issue: http://drupal.org/node/783618#comment-2903794)

I think the point here is that Drupal reveals its path to all users (including anon) in errors by default. Should that be the case? Sane defaults are obviously something we should be reaching for, so the question is: is this sane?

Perhaps a saner set of selections for Drupal error reporting would be:
-Log to database only (recommended for production)
-Log to screen and database (recommended for development)
-Log to screen only for User 1, and always to database (default)

As I commented on the issue,

Submitted by Heine on Thu, 2010/04/29 - 00:12

As I commented on the issue, hiding errors from Anon users is not very helpful in the dev stage of the site. What if you encounter an error during / before login or when installing?

The less savvy user will be stuck and will be left with very little information to use for Troubleshooting.

Master switch development / production

Submitted by George Moses (not verified) on Thu, 2010/04/29 - 09:51

There could be a "master switch" in Drupal, which could switch the site from the development phase to production and vice versa.

With the switch all kinds of settings could be changed:

  • Error reporting
  • Enablement of devel or testing modules
  • Debug info
  • Caching / optimisation settings
  • Misc security settings
  • etc..

Ideal for the "less savvy" user and more secure / better performance for Drupal in general.

Recent posts

  • Teampassword manager's password generator is biased
  • Other vectors for SA-CORE-2014-005?
  • Lazy loading: hook_hook_info is for hook owners only.
  • "Always offline" problem in EA's Origin due to antivirus
  • From bug to exploit - Bakery SSO
more

Security reviews

I provide security reviews of custom code, contributed modules, themes and entire sites via LimoenGroen.

Contact us for a quote.

Follow @ustima

Copyright © 2021 by Heine Deelstra. All rights reserved.

  • Home
  • Drupal
  • About