Overview
A Full Path Disclosure was found on /core/authorize.php (Unauthenticated) when setting the hash_salt variable in the /sites/default/settings.php file to a file that doesn’t exist. This is displayed even if the error logging is configured to “None”. This was tested on drupal 10.1.8.
Setup & vulnerability
After installing the drupal application the developer can change the hash_salt variable on line 268 in the /sites/default/settings.php file. As advised in the example the developer can use a file for this by using the file_get_contents function:
If this is set to a file with a salt string in it the application works as intended. However if this is set to an empty file or a file that doesn’t exist. It could be that this file it was set to gets deleted, removed or renamed after some time. This will break the website. As an example the following code can be used as recommended in the comment:
Now if this file gets removed the application breaks and the full path traversal is shown by navigating to /core/authorize.php as is shown in the image below.
Extra information
I’ve found the Full Path Disclosure multiple times by doing bug bounties for different organizations which used drupal. By navigating to /core/authorize.php will show that there is no access to the page. However if there is an error in the settings.php page it will show the forbidden page with a Full Path Disclosure as shown in the image below:
CVSSv3.1 Score
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N – (5.3)
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45440
https://owasp.org/www-community/attacks/Full_Path_Disclosure
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
https://www.drupal.org/project/drupal/issues/3457781