SA-CORE-2009-004

  • Advisory ID: DRUPAL-SA-CORE-2009-004
  • Project: Drupal core
  • Version: 5.x
  • Date: 2009-February-25
  • Security risk: Highly Critical
  • Exploitable from: Remote
  • Vulnerability: Local file inclusion on Windows
  • Reference: DRUPAL-SA-CORE-2009-003 is an equivalent bug affecting Drupal 6.x

This vulnerability exists on Windows, regardless of the type of webserver (Apache, IIS) used. The Drupal theme system takes URL arguments into account when selecting a template file to use for page rendering. While doing so, it doesn't take into account how Windows arrives at a canonicalized path. This enables malicious users to include files, readable by the webserver and located on the same volume as Drupal, and to execute PHP contained within those files. For example: If a site has uploads enabled, an attacker may upload a file containing PHP code and cause it to be included on a subsequent request by manipulating the URL used to access the site. An attacker may also be able to execute PHP code previously placed into the webserver's log file.

The official announcement for Drupal 5.x is here.

Considerations for Drupal 4.7

The problem is caused by code in phptemplate_page() in themes/engines/phptemplate/phptemplate.engine which suggests a list of template files to scan. For example, http://example.com/node/1/edit would result in the following suggestions: page-node-edit.tpl.php, page-node-1.tpl.php, page-node.tpl.php, page.tpl.php. The template engine checks for the existence of each of these in turn in order to use the most specifically appropriate template for the current URL. Portions of the URL are thus used by Drupal to generate a filename of PHP code to execute. This is handled safely under Unix, but not under Windows (regardless of webserver).

The phptemplate feature in question was added in Drupal 5.x. Previously, it was necessary to manually load alternate templates in template.php or node.tpl.php. Therefore, we believe Drupal 4.7 is not affected by this vulnerability.

(We should note that we do not use any Windows machines within our company, and thus we are not affected by this vulnerability in any version of Drupal. Given the seriousness of the exploit, however, we decided to publish this report for the use of anyone who does run Drupal 4.7 on Windows.)