Open Source Network Blog

Jisse Reitsma

Jisse Reitsma is co-founder of Jira ICT, wrote a book on Joomla! Templates, teaches many courses and programs in Joomla!, Magento and Drupal. Authors profile

Yesterday Drupal 6.10 was released and simultaneously in the Drupal 5 branch version 5.16 was released. While both versions include bugfixes the main reason for the release seems to be a vulnerability that occurs when Drupal runs under Windows.

The vulnerability is seen as highly critical, so all Drupal users are recommended to upgrade ASAP. The vulnerability however is only present under Windows, but not depending on the webserver being used (meaning either Apache or Microsoft IIS). Because Drupal 7 is under way, these two releases for Drupal 5 and 6 can be seen as maintenance releases.

Vulnerability: Local file inclusion in Windows

The vulnerability which is closed in the new versions is to be found in the theming system (includes/theme.inc). In the function template_preprocess_page() the theming engine has a cool feature that allows flexible naming conventions for the template files needed. For instance when a node-page needs to be shown, the filenames that match are "page-node-edit.tpl.php", "page-node.tpl.php" and so on. When loading the page Drupal tries to match one of these names with an existing file in the current theme.

But these files are supposed to exist only within the current theme-directory. The found vulnerability allows for the inclusion of directory characters like // or \ to indicate a different path under Windows. Because of the difference in path-seperators under Windows (backward slash \) and Linux/UNIX/MacOS (forward-slash /) the bug only exists under Windows-environments.

The exploit

An evil person could now fabricate a custom URL that includes these non-expected characters to fool the theming engine into including other PHP-scripts (ending with the .tpl.php extension) outside of the regular theming directory. For instance the path could be changed into /sites/all/files/uploads/c99.tpl.php which is a PHP shell-script with which the hacker could take over the site.

It still requires the hacker to upload his PHP shell-script to the webserver, perhaps through another exploit or even another website if Drupal is hosted in a badly configured shared hosting environment. This makes it harder to crack a Drupal site, but not impossible. The vulnerability is still so severe, that upgrading is highly recommended.

The fix

The fix included in the new Drupal versions are straightforward. It just strips the unexpected characters from the requested filename, forcing the filename to be inside the current theming folder.

The bug was found by Bogdan Calin, working for Acunetix - the same company who has released a highly advanced security scanning engine.