Response to Drupal 7.14 <= Full Path Disclosure Vulnerability

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
greggles's picture

There has recently been a publication of a path disclosure issue in Drupal with the title "Drupal 7.14 <= Full Path Disclosure Vulnerability"

As a response to this and the entire class of issues (that our error messages are optimized for usability over security) I've posted this faq entry: Information disclosure in error messages not a weakness (Path disclosure, SQL error messages, etc.)

Please help improve that page to provide any additional, useful guidance.

Edit: For search engines: This has now been assigned CVE-2012-2922.

Comments

Full Path Disclosure a risk?

no2e's picture

I have "Error messages to display" set to "None", but when I visit my-drupal-site.example.com/?q[]=x (as anonymous), I still get an error message with the full path disclosed.

The FAQ describes that it is not a problem, because you can disable the display of error messages. But when this doesn't work (like in my case), does that mean that it could be a risk?

It does appear that this

greggles's picture

It does appear that this specific issue gets around that setting, so I added information about PHP which should fix it.

As to whether or not this is a problem you have to ask yourself: is it a problem that someone knows the path to my document root. This is only a problem if you have a second vulnerability that makes this important such as (but not limited to) an arbitrary php execution or arbitrary file upload issue, but in those cases you should focus on fixing those vulnerabilities.

This has now been fixed in

greggles's picture

This has now been fixed in Drupal 7.15 and an issue for 6.x is ready for testers at http://drupal.org/node/1576300

Thanks for the CVE

rickmanelius's picture

My first search turned up nothing, so I think that's a great improvement so we don't needlessly pester the security team :)

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: