Hello list!

I want to warn you about Full path disclosure and Insufficient
Anti-automation vulnerabilities in Drupal.

-------------------------
Affected products:
-------------------------

Vulnerable are Drupal 6.20 and previous versions.

Vulnerable versions of Captcha module are before 6.x-2.3 and 7.x-1.0.

----------
Details:
----------

Full path disclosure (WASC-13):

At POST request to the page with form with using of Cyrillic char in
parameter op, the error message is showing, which consists the full path on
the system.

Vulnerabilities exist at pages: http://site/user/, http://site/user/1/edit,
http://site/user/password, http://site/user/register, http://site/contact,
http://site/user/1/contact. Other pages which have forms also can be
vulnerable.

Exploit:

http://websecurity.com.ua/uploads/2011/Drupal%20Full%20path%20disclosure.html

As noted Drupal developers, these vulnerabilities appear due to turned on
debugging option in administrator panel. So for preventing of these and
other FPD at the site it's needed to turn off this option.

Insufficient Anti-automation (WASC-21):

In different forms in Drupal the vulnerable captcha is using. Drupal's 
Captcha module is vulnerable itself, so all captcha-plugins can be
vulnerable. For bypassing of captcha it's needed to use correct value of
captcha_sid and the same value of captcha_response. This method of captcha
bypass is described in my project Month of Bugs in Captchas
(http://websecurity.com.ua/1498/). Attack is possible while this captcha_sid
value is active.

Vulnerabilities exist on pages with forms: http://site/contact,
http://site/user/1/contact, http://site/user/password and
http://site/user/register. Other forms where captcha is using also will be
vulnerable.

Taking into account that Captcha module for Drupal is third party module,
then Insufficient Anti-automation vulnerability exists as in Captcha module
(captcha bypass), as in Drupal itself (lack of captcha). In result we have
"forever vulnerable" condition, when default Drupal installation is
vulnerable to IAA and Captcha module is also vulnerable to IAA (but Captcha
module was already fixed in 2010, so it's recommended to update it to the
latest version).

Exploit:

http://websecurity.com.ua/uploads/2011/Drupal%20CAPTCHA%20bypass.html

------------
Timeline:
------------

2010.12.10 - announced at my site.
2010.12.11 - informed developers.
2010.12.11 - response from Drupal security team.
2010.12.12 - I drew attention of Drupal security team, that IAA holes
existed not only in Captcha module, but in Drupal itself (so it concerned
Drupal too).
2011.02.15 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4749/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua