Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Steps to reproduce
Unauthenticated user tries to install Drupal and specifies invalid `profile`:
https://victim.site/core/install.php?profile=%3Cinvalid%20value%3E
Application responds with an error:
User warning: The following module is missing from the file system: invalidvalue in drupal_get_filename() (line 240 of core/includes/bootstrap.inc).
drupal_get_filename('module', 'invalidvalue') (Line: 263)
drupal_get_path('profile', 'invalidvalue') (Line: 244)
Drupal\Core\Extension\ExtensionDiscovery->setProfileDirectoriesFromSettings() (Line: 157)
Drupal\Core\Extension\ExtensionDiscovery->scan('module') (Line: 148)
drupal_required_modules() (Line: 1087)
install_profile_info('minimal') (Line: 1236)
_install_select_profile(Array) (Line: 440)
install_begin_request(Object, Array) (Line: 114)
install_drupal(Object) (Line: 44)
...
After some time, the application stops working for authenticated users (Denial of Service). Functionality is "fixed" when the following URL is accessed:
http://victim.site/core/install.php?profile=standard
Expectation
Generic error message is shown and application continues working.
What happened
Detailed message is shown and administrator is unable to authenticated and / or access modules.
Comments
Comment #2
cilefen CreditAttribution: cilefen commentedNice find! I don't understand how this constitutes a denial of service. But it is a PHP error triggerable with a GET request so it is major priority.
Comment #3
cilefen CreditAttribution: cilefen commentedComment #9
quietone CreditAttribution: quietone as a volunteer commentedThis is a duplicate of #2840973: Install system should not produce PHP errors. Moved the data from the IS here over there.