search
top


Finding a Drupal Vulnerability

Finding a Drupal Vulnerability

So, I found my first official Drupal Vulnerability with Drupal Core. You can read more about it officially on Drupal’s website here –> https://www.drupal.org/SA-CORE-2016-001

For those that don’t know much about Drupal it is a Content Management System similar to WordPress and Joomla.

During my time conducting a security assessment and audit on Drupal, I found an issue. This particular vulnerability was found many months back. I had decided to hold off on publishing anything about it so it would give many Drupal users time to mitigate the issue.

What is the Vulnerability?

The vulnerability is known as an “Open Redirect” vulnerability. It is a vulnerability that can help cyber criminals conduct more efficient phishing scams using your website as leverage against the public.

For example, if someone was able to conduct an open redirect on Stealthbay.com. A user would be able to redirect all traffic from this website to any of their choosing. A good method would be to copy the website template and host a similar looking website else where. Then, send users a link that would look very legit, but in reality the web link would send them to a site that is not actually related to Stealthbay. This, then leads to possible methods to steal user credentials (usernames, emails, passwords, birth dates etc..) by misleading (phishing) users out to another “fake look alike” website.

An example would be if someone cloned the web template off Paypal.com. And, then was able to forward users there with paypal.com?url=fakesite.com. Any user that enters their email address and password would now become compromised, as the cyber criminals server could be storing these credentials as soon as you type them out.

I have to give props and thank the Drupal Security team for working with me on the vulnerability. They had helped test and replicate the issue and pushed out a fix in the next release.

What causes the Vulnerability?

The issue resides with the php code used in a few of the Drupal files. Drupal makes use of this code in older versions of their core. The files were found with the method name “menu_path_is_external” in menu.inc in the includes directory. In there is the check for external URL which is done on line: 1192 of bootstrap.inc in the includes folder.

$redirect_url = $_GET[‘url’];
header(“Location: ” . $redirect_url);

drupal_goto() in Drupal 6 does a urldecode() on the contents of $_REQUEST[‘destination’] before using it, potentially causing the redirect protection fails and go to an external URL.

This vulnerability is mitigated by for hosts running PHP 5.4.7 or greater.

The above code causes the issue since there is a fairly big weakness in the code from a security point of view. As we can see, the redirect_url variable does not have any proper sanitization. And, it is pulling the URL input and trusting it without any type of check in place to verify the input content. This is ALWAYS a big no no when creating applications and allow any type of input. You should always VERIFY the data coming in and never trusting it at all. This is the the #1 way cyber criminals easily break through applications.

How is it Exploited?

 

Part I

Someone could embed a link.

For example,<a href=”https://stealthbay.com/redirect?url=https://attacker.example.net”>Click here to visit Stealthbay</a>

The above example “seems” to lead to stealthbay.com. However, the redirect vulnerability allows the attacker to redirect the web link to another website. Essentially, someone could spoof and phish stealthbay.com through this method. Now the above method might be a bit easier to detect since we can see the redirected URL in the link. However, let’s look at an interesting case below in Part II.

Part II

I’ve listed an example below, which basically forwards you to any website using a legit websites domain name.


Example: http://www.domainname.com/random-page?url=%252f%252ftiny.cc%252fE7LLl

Why is the above link interesting? Because, you can use short URL websites such as tiny.cc to create a shorter version for your phishing link. This will make it much more difficult and harder to detect the redirected URL for the average user who doesn’t necessarily see it right away. There are several other ways to encode the URL in non human readable forms. And, using these different types of encoding types increases the cyber criminals chances of getting the average user to accept the link as a legit web URL address.

The Bottom Line

The point of this post is to articulate what and how an Open Redirect functions, as well as keeping your Drupal version up to date. In my case, I did find a vulnerability and many users are finding new things in all types of applications including Drupal. And, that means no application is ever going to be 100% secure all the time. New vulnerabilities will be found, and it is up to each user to update their applications as soon as new security fixes are made available to all.

Once again, I have to give props to the Drupal Security team for resolving the issue in a timely manner.

My Drupal Profile –> https://www.drupal.org/u/htaheem



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

top
Secured By miniOrange