Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Drupal Ajax Checklist Module SQL Injection Vulnerability
From: "Justin C. Klein Keane" <Justin () MadIrish net>
Date: Wed, 24 Sep 2008 15:16:51 -0400

Hash: SHA1

Drupal Ajax Checklist Module SQL Injection Vulnerability

    * Discovery Date: Sept 15, 2008
    * Security risk: high
    * Exploitable from: Remote
    * Vulnerability: SQL Injection
    * Discovered by: Justin C. Klein Keane <justin () madirish net>


Drupal (http://drupal.org) is a robust content management system (CMS)
that provides extensibility through hundreds of third party modules.
While the security of Drupal core modules is vetted by a central
security team, third party modules are not reviewed for security.

The Ajax Checklist module (http://drupal.org/project/ajax_checklist),
created by AsciiKewl (http://drupal.org/user/147292) is designed to
allow users to input dynamic checklists into nodes. These checklists can
then be checked or unchecked with state tracked via AJAX calls to pages
that store the state in the database. Due to poor input validation on
the AJAX handling pages, this module is vulnerable to SQL injection
attacks. Depending on configuration, these attacks could be carried out
by remote unauthenticated users. Due to it's data driven design, SQL
injection attacks pose a critical threat to Drupal installations and
their hosts and could lead to full control over the webserver process.

The critical flaw exists within the ajax_checklist_save() function
(lines 61-84 of ajax_checklist.module). This function accepts three
parameters ($nid,$qid, and $state), all of which can be manipulated via
a properly crafted URL. These parameters are then used to craft SQL
select, insert, and update statements without first being sanitized.
Vulnerable Versions

5.x-1.0 dated 1007-Aug-18 was tested and shown vulnerable
Testing for Vulnerability

Calling the URL:


will cause the administrator password to be inserted into the
ajax_checkbox table in the Drupal database:

mysql> select * from ajax_checklist;
| nid | user | qid                              | state |
|   1 |    0 | 2                                |     2 |
|   3 |    3 | 4202b5f87a68583e20aae6917c8c33d1 |     3 |
|   4 |    4 | 4                                |     3 |


Highly critical. Depending on configuration, this vulnerability could
allow attackers to compromise the Drupal administrator account, an
attack that can lead to web server and even host compromise since the
administrator can configure file uploads and alter any content on the
Drupal installation.

Determining Version

The ajax_checklist.info page for vulnerable versions displays the
following information:

; $Id: ajax_checklist.info,v 1.1 2007/08/16 06:39:34 asciikewl Exp $
name = Ajax Checklist
description = Creates filter-driven checklists with ajax updating to the
package = Other
version = 5.x-0.1

; Information added by drupal.org packaging script on 2007-08-18
version = "5.x-1.0"
project = "ajax_checklist"
datestamp = "1187416501"

Determining version information on Drupal sites is trivial in many cases
(ref http://www.madirish.net/?article=214).

Vendor Response

Drupal security team contacted September 17, 2008.  A security patch and
announcement should be available Wednesday September 24, 2008.

- --

Justin C. Klein Keane
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Drupal Ajax Checklist Module SQL Injection Vulnerability Justin C. Klein Keane (Sep 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]