CVE-2011-2726 - Incorrect Authorization

Severity

75%

Complexity

39%

Confidentiality

60%

An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access, non-privileged users can still download the file attached to the comment if they know or guess its direct URL.

An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access, non-privileged users can still download the file attached to the comment if they know or guess its direct URL.

CVSS 3.1 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVSS 2.0 Base Score 5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N).

Demo Examples

Incorrect Authorization

CWE-863

The following code could be for a medical records application. It displays a record to already authenticated users, confirming the user's authorization using a value stored in a cookie.


               
}
}
setcookie("role", $role, time()+60*60*2);
die("\n");
DisplayMedicalHistory($_POST['patient_ID']);
die("You are not Authorized to view this record\n");

The programmer expects that the cookie will only be set when getRole() succeeds. The programmer even diligently specifies a 2-hour expiration for the cookie. However, the attacker can easily set the "role" cookie to the value "Reader". As a result, the $role variable is "Reader", and getRole() is never invoked. The attacker has bypassed the authorization system.

Overview

First reported 5 years ago

2019-11-15 17:15:00

Last updated 5 years ago

2019-12-03 19:49:00

Affected Software

Drupal

Debian Linux 8.0 (Jessie)

8.0

Debian Linux 9.0

9.0

Red Hat Enterprise Linux 5.0

5.0

Red Hat Enterprise Linux 6.0

6.0

Fedora 14

14

Fedora 15

15

Fedora 16

16

References

http://www.openwall.com/lists/oss-security/2012/03/19/10

Mailing List, Third Party Advisory

http://www.openwall.com/lists/oss-security/2012/03/20/14

Mailing List, Third Party Advisory

https://access.redhat.com/security/cve/cve-2011-2726

Broken Link

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2726

Issue Tracking, Third Party Advisory

https://security-tracker.debian.org/tracker/CVE-2011-2726

Third Party Advisory

https://www.drupal.org/node/1231510

Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.