Other vectors for SA-CORE-2014-005?
Heine Fri, 2014/10/31 - 21:57
This is intended a comment on Acquia's Learning from hackers a week after the Drupal SQL Injection announcement, but mollom prevents me from posting it there. In it, scor asks:
An open question is whether the SQL injection vulnerability was exploitable via some vector other than via the user login form.
Absolutely! Paths accessible to anonymous users that take user data to a query are all vulnerable. POSTs to the login form are not necessary. Examples:
System batch processing
The path to the batch system is accessible to anonymous users, because the page does access checks after doing a SQL query. This SQL query accepts an id from the request. Either GET or POST works. Depending on your PHP configuration, even COOKIE can be used.
If one prefers, and is able to upload files to the site, a slightly modified query is able to cause this file to be executed. Alternatively, one could try to piggyback on the unserialize and execute a destructor.
Session handling code (COOKIE)
The default session handling code stores information in the database. It has to query on session values to obtain stored session information.
If the site uses HTTPS, a value from $_COOKIE is used in such a query. This value can be used to conduct a SQL injection attack. An exploit could result in uid 1 access to the site, possibly _without_ even having to insert a session into the db.
I haven't seen these, nor use of other potential avenues in the wild, but then again, I can only observe a small number of sites.
Comments
Thanks Heine for your
Submitted by scor (not verified) on Sat, 2014/11/01 - 01:22Thanks Heine for your research, and sorry about the Mollom trouble. On the bright side, I think your comment was well worth a blog post of its own! I've posted a link to this blog post from my blog post on acquia.com.
It's not clear in your post whether you have seen those vectors being exploited in the wild. I'd be curious to know if you or anyone else has seen them for real exploits.
Thank you. I have not seen
Submitted by Heine on Sat, 2014/11/01 - 07:22Thank you. I have not seen these and other avenues used in the wild atm. I've updated the post to say so.
There had been a proof of
Submitted by Fabianx (not verified) on Sun, 2014/11/02 - 01:09There had been a proof of concept code in the wild directly logging a user in as uid 1, but I don't remember if it used $_COOKIE.