关键信息概览 Elastic Database: 18564 CVE Identifier: 2007-6752 Exploit Title: Drupal CMS 7.12 (latest stable release) Multiple Vulnerabilities Date: 02-03-2012 Author: Ivano Binetti () Vulnerable Software: Drupal 7.12 (and lower) CMS Vulnerable Platform: PHP Tested Environment: Debian Squeeze 6.0 Vulnerability Summary 1. Poor Session Checking (CSRF for changing settings) 2. Poor Session Checking (CSRF for forcing administrator logout) 3. Poor Session Checking (using HTTP POST and GET) 4. Poor Session Checking (missing HTTP Referer header) Vulnerability Description Drupal 7.12 suffers from multiple vulnerabilities that could potentially allow an attacker to gain access to the management interface. CSRF flaws exist when the form_token parameter is generated, causing it to be the same for form operations in the same session. Using the form_build_id parameter allows changes to be made to Drupal settings through the web management interface. CGI vulnerabilities enable an attacker to craft a web page for a Drupal administrator to change any Drupal setting. Unclear or unvalidated input validation in allows an attacker to create a crafted web page for forced logout. Drupal also does not validate the http method "POST" or "GET". Exploitation occurs when an attacker submits an HTTP POST request to the URL. Drupal does not validate the "http referer" header. Additionally, the last two vulnerabilities can be exploited. Vulnerability Exploitation Two CSRF Exploits are provided: 1. For creating an administrator account 2. For forcing the administrator to log out Additional resources: Recommended reading on manual exploitation and other topics: For bug fixes or patches: