Re: LFI in Drupal CMS

[security]

Rasool Nasr replied privately with additional details:



- quote



"You must go to the profile folder and create a file with .profile

extension.Then you must copy your shell(such as c99) into created file

for example create shell .profile and then use it with this sample:



http://[sitename]/drupal/install.php?profile=shell";



- unquote





Response:



Installation profiles define which modules should be enabled, and can

customize the installation after they have been installed. This

allows customized "distributions" that enable and configure a set of

modules that work together for a specific kind of site (Drupal for

bloggers, Drupal for musicians, Drupal for developers, and so on).



Just like other Drupal directories, the profiles directory is normally

not writable by the webserver.



The reported "vulnerability" is therefore in the same league as "ZOMG

- IF YOU OVERWRITE INDEX.PHP, TEH CODE IS EXECUTED""



Regards



Heine Deelstra



--

Drupal security team

Re: LFI in Drupal CMS

[security]

I am unable to reproduce on the pre- or post-install phase of Drupal 6.9.



Can you please provide additional details?



-- 

Drupal security team

LFI in Drupal CMS

[rasool . nasr]

Author : Rasool Nasr

---

Discovered by : Rasool Nasr

---

Exploited By : Rasool Nasr

---

E-Mail : rasool.n...@gmail.com

---

WebSite : http://ircrash.com

---

Our Team : ircrash

---

IRCRASH Team Members : Dr.Crash Or Khashayar Fereidani - Hadi Kiamarsi - 
Malc0de - R3d.w0rm - Rasool Nasr

---

CMS: Drupal ( Version 6.9 )

Download CMS : http://ftp.drupal.org/files/projects/drupal-6.9.tar.gz

---

LFI

Exploit :

http://[sitename]/drupal/install.php?profile=[shell code]


or


http://[sitename]/drupal/install.php?profile=[shell code]%00
---