CVE-2012-1641 in finderinfo

Summary

by MITRE

The finder_import function in the Finder module 6.x-1.x before 6.x-1.26, 7.x-1.x, and 7.x-2.x before 7.x-2.0-alpha8 for Drupal allows remote authenticated users with the administer finder permission to execute arbitrary PHP code via admin/build/finder/import.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 12/12/2021

The vulnerability identified as CVE-2012-1641 represents a critical remote code execution flaw within the Drupal content management system's Finder module. This vulnerability specifically affects versions 6.x-1.x prior to 6.x-1.26 and 7.x-1.x, as well as 7.x-2.x versions before 7.x-2.0-alpha8. The security flaw exists within the finder_import function, which processes data during the import operation at the admin/build/finder/import endpoint. The vulnerability is particularly dangerous because it requires only authenticated access with the specific "administer finder" permission, making it exploitable by users who have been granted administrative privileges within the Drupal system.

The technical exploitation of this vulnerability occurs through a code injection vector that allows attackers to execute arbitrary PHP code on the target server. When an authenticated user with the appropriate permissions accesses the admin/build/finder/import path, the finder_import function fails to properly validate or sanitize input parameters. This lack of input sanitization creates an opportunity for malicious users to inject PHP code that gets executed within the context of the web server process. The vulnerability falls under the CWE-94 category of "Improper Control of Generation of Code ('Code Injection')" which is a fundamental weakness in software design that allows attackers to execute code in the context of the application. The attack surface is further expanded through the ATT&CK framework's technique T1059.001 which covers "Command and Scripting Interpreter: PowerShell" and similar execution methods that can be leveraged through code injection vulnerabilities.

The operational impact of this vulnerability extends far beyond simple data manipulation or access control bypasses. Successful exploitation can result in complete compromise of the Drupal installation, allowing attackers to execute arbitrary commands, access sensitive data, modify content, and potentially use the compromised server as a launch point for further attacks against internal networks. The vulnerability's remote nature means attackers do not need physical access to the server, and the requirement for only the "administer finder" permission makes it particularly concerning since this level of access is often granted to trusted administrators within Drupal installations. Organizations using affected versions of the Finder module face significant risk of data breaches, service disruption, and potential regulatory compliance violations.

Mitigation strategies for CVE-2012-1641 primarily involve immediate patching of the affected Drupal installations to versions that have addressed this vulnerability. The Drupal security team released updates in versions 6.x-1.26 and 7.x-2.0-alpha8 that properly validate and sanitize input parameters within the finder_import function. Additionally, administrators should implement the principle of least privilege by carefully reviewing and limiting the "administer finder" permission to only those users who absolutely require it. Network segmentation and monitoring of administrative access points can help detect potential exploitation attempts. Organizations should also consider implementing web application firewalls that can detect and block malicious payloads targeting this specific vulnerability. The vulnerability highlights the importance of input validation and the need for security reviews of all code paths that process user-supplied data, particularly those that may execute code or interact with the file system. Regular security audits and keeping software dependencies up-to-date remain crucial defensive measures against similar vulnerabilities in the Drupal ecosystem and other web applications.

Reservation

03/12/2012

Disclosure

08/28/2012

Moderation

accepted

Entry

VDB-61921

CPE

ready

EPSS

0.02292

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!