Hi guys, I was testing Acunetix WVS (with AcuSensor enabled) on Drupal (http://www.drupal.org) and the scanner found a possible File Inclusion vulnerability. The vulnerability is located in the file "includes\theme.inc" on line 1011. Vulnerable code: function theme_render_template($template_file, $variables) { extract($variables, EXTR_SKIP); // Extract the variables to a local namespace ob_start(); // Start output buffering include "./$template_file"; // Include the template file <<< here is the vulnerability $contents = ob_get_contents(); // Get the contents of the buffer ob_end_clean(); // End buffering and discard return $contents; // Return the contents } Basically, by manipulating the q variable, it's possible to partially control the include path. The GET variable q was set to "start/../../xxx\..\..\end" and it got partially sanitized. It reached the include function as "./themes/garland/page-start-..-..-xxx\..\..\end.tpl.php". All the slashes were replaced with "-". Even more, we cannot fully control the include path, the user input is automatically prefixed with "./themes/garland/page-". So, this vulnerability doesn't look exploitable, right? Actually, this is exploitable, but only on Windows systems. On Unix systems, something like "cat /var/www/some_invalid_filename/../../../../../etc/passwd" doesn't work because some_invalid_filename is not a directory. It will not work even if you have a valid filename in there. In my opinion this is the expected behavior. However, on Windows things are differently. Executing the command "type c:\windows\sssssssssssss\..\..\..\..\..\boot.ini" will return the contents of c:\boot.ini even if sssssssssssss is not a directory and it doesn't even exists as a filename. PHP option magic_quotes_gpc is turned OFF in Drupal, so it's possible to use %00 to terminate the string. Therefore, if you set q to something like q=\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini%00 it's possible to include the contents of boot.ini on Windows systems (if the web server is installed on the C: partition). A bit more information is available in our blog at http://www.acunetix.com/blog/websecuritynews/drupal-local-file-inclusion-vulnerability/. Drupal security team was notified about this vulnerability on 29 January 2009 and they've released a fix on 25 February 2009. The fix for Drupal versions 5.x is available at http://drupal.org/node/384024. And for Drupal versions 6.x can be found at http://drupal.org/node/383724. Thanks and have a nice day, -- Bogdan Calin - bogdan@xxxxxxxxxxxx CTO Acunetix Ltd. - http://www.acunetix.com Acunetix Web Security Blog - http://www.acunetix.com/blog