Response to Drupal 7.14 <= Full Path Disclosure Vulnerability

Events happening in the community are now at Drupal community events on www.drupal.org.
Posted by greggles on May 14, 2012 at 2:17am

There has recently been a publication of a path disclosure issue in Drupal with the title "Drupal 7.14 <= Full Path Disclosure Vulnerability"

As a response to this and the entire class of issues (that our error messages are optimized for usability over security) I've posted this faq entry: Information disclosure in error messages not a weakness (Path disclosure, SQL error messages, etc.)

Please help improve that page to provide any additional, useful guidance.

Edit: For search engines: This has now been assigned CVE-2012-2922.

Categories:

Comments

Full Path Disclosure a risk?

Posted by no2e on May 14, 2012 at 3:15am

I have "Error messages to display" set to "None", but when I visit my-drupal-site.example.com/?q[]=x (as anonymous), I still get an error message with the full path disclosed.

The FAQ describes that it is not a problem, because you can disable the display of error messages. But when this doesn't work (like in my case), does that mean that it could be a risk?

It does appear that this

Posted by greggles on May 14, 2012 at 6:15pm

It does appear that this specific issue gets around that setting, so I added information about PHP which should fix it.

As to whether or not this is a problem you have to ask yourself: is it a problem that someone knows the path to my document root. This is only a problem if you have a second vulnerability that makes this important such as (but not limited to) an arbitrary php execution or arbitrary file upload issue, but in those cases you should focus on fixing those vulnerabilities.

This has now been fixed in

Posted by greggles on August 2, 2012 at 1:40am

This has now been fixed in Drupal 7.15 and an issue for 6.x is ready for testers at http://drupal.org/node/1576300

Thanks for the CVE

Posted by rickmanelius on August 2, 2012 at 1:44am

My first search turned up nothing, so I think that's a great improvement so we don't needlessly pester the security team :)

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

AltStyle によって変換されたページ (->オリジナル) /