Hello list! I want to warn you about Full path disclosure and Insufficient Anti-automation vulnerabilities in Drupal. ------------------------- Affected products: ------------------------- Vulnerable are Drupal 6.20 and previous versions. Vulnerable versions of Captcha module are before 6.x-2.3 and 7.x-1.0. ---------- Details: ---------- Full path disclosure (WASC-13): At POST request to the page with form with using of Cyrillic char in parameter op, the error message is showing, which consists the full path on the system. Vulnerabilities exist at pages: http://site/user/, http://site/user/1/edit, http://site/user/password, http://site/user/register, http://site/contact, http://site/user/1/contact. Other pages which have forms also can be vulnerable. Exploit: http://websecurity.com.ua/uploads/2011/Drupal%20Full%20path%20disclosure.html As noted Drupal developers, these vulnerabilities appear due to turned on debugging option in administrator panel. So for preventing of these and other FPD at the site it's needed to turn off this option. Insufficient Anti-automation (WASC-21): In different forms in Drupal the vulnerable captcha is using. Drupal's Captcha module is vulnerable itself, so all captcha-plugins can be vulnerable. For bypassing of captcha it's needed to use correct value of captcha_sid and the same value of captcha_response. This method of captcha bypass is described in my project Month of Bugs in Captchas (http://websecurity.com.ua/1498/). Attack is possible while this captcha_sid value is active. Vulnerabilities exist on pages with forms: http://site/contact, http://site/user/1/contact, http://site/user/password and http://site/user/register. Other forms where captcha is using also will be vulnerable. Taking into account that Captcha module for Drupal is third party module, then Insufficient Anti-automation vulnerability exists as in Captcha module (captcha bypass), as in Drupal itself (lack of captcha). In result we have "forever vulnerable" condition, when default Drupal installation is vulnerable to IAA and Captcha module is also vulnerable to IAA (but Captcha module was already fixed in 2010, so it's recommended to update it to the latest version). Exploit: http://websecurity.com.ua/uploads/2011/Drupal%20CAPTCHA%20bypass.html ------------ Timeline: ------------ 2010.12.10 - announced at my site. 2010.12.11 - informed developers. 2010.12.11 - response from Drupal security team. 2010.12.12 - I drew attention of Drupal security team, that IAA holes existed not only in Captcha module, but in Drupal itself (so it concerned Drupal too). 2011.02.15 - disclosed at my site. I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4749/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua