ZeroDayScan - Full path disclosure bug in Drupal 6.16 (0day)
Heine Wed, 2010/04/28 - 22:01
We recently received a report by "ZeroDayScan", about a "Full path disclosure bug in Drupal 6.16".
You can read the story @ http://blog.zerodayscan.com/2010/04/full-path-disclosure-bug-in-drupal-616.html. As my short comment was removed from the post, I have to resort to a blogpost. My apologies for polluting the Planet.
Summary of the issue: If you set error reporting to the default value "Write errors to the log and to the screen", the installation path is displayed on the ...*drumroll*... screen.
Which is of course the point.
Calling the setting a "workaround", the default a "bug" and a "vulnerability" is either idiocy, or insincere. Now that comments were removed, we know. Insincere and at the same time a great way to highlight the impotence of the ZeroDayScan scanner.
My last message to ZeroDayScan: If there's an SQL injection on a Drupal site; you can simply take over the site as uid 1 (root); no need to find out the full path via an obscure error message.
Comments
(x-posted to the issue:
Submitted by entendu (not verified) on Thu, 2010/04/29 - 00:00(x-posted to the issue: http://drupal.org/node/783618#comment-2903794)
I think the point here is that Drupal reveals its path to all users (including anon) in errors by default. Should that be the case? Sane defaults are obviously something we should be reaching for, so the question is: is this sane?
Perhaps a saner set of selections for Drupal error reporting would be:
-Log to database only (recommended for production)
-Log to screen and database (recommended for development)
-Log to screen only for User 1, and always to database (default)
As I commented on the issue,
Submitted by Heine on Thu, 2010/04/29 - 00:12As I commented on the issue, hiding errors from Anon users is not very helpful in the dev stage of the site. What if you encounter an error during / before login or when installing?
The less savvy user will be stuck and will be left with very little information to use for Troubleshooting.
Master switch development / production
Submitted by George Moses (not verified) on Thu, 2010/04/29 - 09:51There could be a "master switch" in Drupal, which could switch the site from the development phase to production and vice versa.
With the switch all kinds of settings could be changed:
Ideal for the "less savvy" user and more secure / better performance for Drupal in general.