PhpTransliteration::readLanguageOverrides

Since $langcode comes from the url it is quite easy to include ANY php file on the server. Even if it situated outside Drupal root.

The simplest way to reproduce the bug is to navigate to following path: machine_name/transliterate?text=а&langcode=../../../../../../index

The vulnerability is mitigated by the fact that since PHP 5.3.4 paths with NULL in them are considered as invalid. Otherwise the attacker could include any files on a server, not just php scripts.

However opportunity to include any php files may be used to run external php applications that might be situated outside Drupal root or protected by http authorization. For instance, I was able to get access to my database by inclusion adminer.php.

originally reported to Drupal 8 bug bounty
https://tracker.bugcrowd.com/submissions/df2aa05dfef8649c33e119bc27e22f4...

reporter: Chi https://www.drupal.org/user/556138

Triaged in private by the Drupal security team - does not affect Drupal 6 or 7

CommentFileSizeAuthor
#25 test_routes.txt774 byteschx
#25 routes.txt11.79 KBchx
#19 interdiff.txt672 byteschx
#19 2508654_19.patch3.6 KBchx
#12 2508654_11-test-only.patch1.93 KBchx
#12 2508654_11.patch2.79 KBchx
#11 2508654_10-test-only.patch1.65 KBchx
#11 2508654_10.patch2.51 KBchx
#10 2508654_9-test-only.patch1.4 KBchx
#10 2508654_9.patch2.25 KBchx
#3 2508654_3.patch878 byteschx
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
CreditAttribution: tim.plunkett at Acquia commented
Issue tags: +Security
chx’s picture

chx CreditAttribution: chx commented

Oh damn.

chx’s picture

chx CreditAttribution: chx commented
Status: Active » Needs review
FileSize
2508654_3.patch878 bytes

Did you know that all sorts of parenthesis are a valid delimiter for regular expressions?

Compare http://3v4l.org/LEjg3 to http://3v4l.org/iMf6O

Pere Orga’s picture

Pere Orga
Primary language Catalan
CreditAttribution: Pere Orga as a volunteer and commented
Status: Needs review » Reviewed & tested by the community

I confirm that patch in #3 fixes the issue.

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner as a volunteer commented
Status: Reviewed & tested by the community » Needs work
Issue tags: +Needs tests

Seriously, we should better have a test for it

Dave Reid’s picture

Dave Reid
he/him
Primary language English
Location Nebraska USA
CreditAttribution: Dave Reid commented
Title: File inclusion in transilteration service » File inclusion in transliteration service
Gábor Hojtsy’s picture

Gábor Hojtsy
he/him
Primary language Hungarian
Location Hungary
CreditAttribution: Gábor Hojtsy at Acquia commented
Issue tags: +D8MI, +sprint, +language-base
Pol’s picture

Pol
the/that
Location Brussels
CreditAttribution: Pol as a volunteer commented

As soon as this is fixed, I'll include it in service_container too. (ref: https://github.com/LionsAd/service_container/pull/67)

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner as a volunteer commented

Did you know that all sorts of parenthesis are a valid delimiter for regular expressions?

Which is IMHO just overengineering and makes it harder to start with as a beginner ...

chx’s picture

chx CreditAttribution: chx commented
Status: Needs work » Needs review
FileSize
2508654_9.patch2.25 KB
2508654_9-test-only.patch1.4 KB

This is not easy to test.

chx’s picture

chx CreditAttribution: chx commented
FileSize
2508654_10.patch2.51 KB
2508654_10-test-only.patch1.65 KB

Simplified (a little) and explained the test.

chx’s picture

chx CreditAttribution: chx commented
FileSize
2508654_11.patch2.79 KB
2508654_11-test-only.patch1.93 KB

With more @covers metadata.

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner as a volunteer commented
Status: Needs review » Reviewed & tested by the community
Issue tags: -Needs tests

Thank you chx!

The last submitted patch, 10: 2508654_9-test-only.patch, failed testing.

The last submitted patch, 11: 2508654_10-test-only.patch, failed testing.

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 12: 2508654_11-test-only.patch, failed testing.

chx’s picture

chx CreditAttribution: chx commented
Status: Needs work » Reviewed & tested by the community

Expected fail.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
Status: Reviewed & tested by the community » Needs work

Nice find and nice test.

I've grepped the codebase looking for similar code and couldn't find any. I think we need to document on TransliterationInterface that the langcode is user input and should be treated with suspicion. Just in case another writes a replacement for the transliteration service.

chx’s picture

chx CreditAttribution: chx commented
Status: Needs work » Needs review
FileSize
2508654_19.patch3.6 KB
interdiff.txt672 bytes

Sure. I am not reposting the test-only patch since there's no change to that.

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner as a volunteer commented
Status: Needs review » Reviewed & tested by the community

Cool

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Chapter Three commented
Status: Reviewed & tested by the community » Fixed

Committed 337f182 and pushed to 8.0.x. Thanks!

  • alexpott committed 337f182 on 8.0.x 
    Issue #2508654 by chx, dawehner, Chi: File inclusion in transliteration...
Gábor Hojtsy’s picture

Gábor Hojtsy
he/him
Primary language Hungarian
Location Hungary
CreditAttribution: Gábor Hojtsy at Acquia commented
Issue tags: -sprint

Yay, yayay!

pwolanin’s picture

pwolanin CreditAttribution: pwolanin as a volunteer and at Acquia commented
Issue tags: +D8 Security Bounty, +D8 Accelerate
chx’s picture

chx CreditAttribution: chx commented
FileSize
routes.txt11.79 KB
test_routes.txt774 bytes

I talked to Ivan about how he discovered this and with his permission I am posting it here:

That was quite interesting.

I was trying to find unprotected urls on the D8 site which might disclose some private information. So that I exported all available Drupal paths to the text file using \Drupal::service('router.route_provider') and then created a simple php script that read the file and sent http requests to the site using curl library.

The path machine_name/transliterate took my attention because it was one of the few urls accessible by anonymous user (see script output in attachment). So I decided to check what is inside the controller that is responsible for that route.

Having found preg_replace that takes parameters directly from request object I was able to make Drupal to emit warnings by passing wrong values to that variables through url. But nothing else because replacement pattern was wrapped with '@' and null byte injection did not work on my local environments. So I decided to postpone this and track $langcode variable that was not used directly inside MachineNameController::transliterate(). It leads me to PhpTransliteration::readLanguageOverrides() where I found the file inclusion vulnerability .

Actually I did not spot that wrong regular expression pattern that was supposed to prevent file inclusion. I just put wrong value for $langcode variable to url and make yourself sure that it works. :)

Later when I was submitting initial issue about invalidated parameters for preg_replace #2508735: Code injection via preg_replace() I found that null byte injections works on some PHP 5.4 versions that Drupal 8 was still supporting at that moment. So that issue also became security.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.