Intigriti - Hack Hub
  • Misconfig Mapper Docs
    • Introduction
    • Supported Services
    • CLI Tool
    • Contributing
  • Services
    • GraphQL
      • GraphQL Introspection Query Enabled
    • Symfony PHP
      • Symfony Profiler Enabled
    • Postman API Platform
      • Public Workspaces
    • Salesforce
      • Salesforce Lightning Aura Components Enabled
    • Trello
      • View Permissions on Trello Boards
    • Figma
      • View access misconfiguration
    • Freshworks Freshservice
      • Open User Registration
    • Slack
      • No Admin Approval for Invitations
    • Atlassian Bitbucket
      • Publicly Accessible Private Repositories
    • Atlassian Confluence
      • Anonymous access to Remote API
      • Disabled XSRF Protection
      • User Email Visibility
      • Misconfigured Spaces
    • Atlassian Jira
      • Open User Registration
      • Atlassian Jira Email Visibility
      • Atlassian Jira Service Desk Open Signups
    • AWS S3
      • Misconfigured List Permissions
    • Cloudflare R2
      • R2.DEV Enabled
    • Google Groups
      • Misconfigured read permissions
    • Google Docs
      • Misconfigured read permissions
    • Google Cloud Storage Bucket
      • Misconfigured access controls
    • Google OAuth
      • Unrestricted email domains
    • Jenkins
      • Open Signups
      • Public Groovy Script Console
    • GitLab
      • Gitlab Private Source Code Snippets Exposed
    • Drupal
      • Drupal Nodes with Misconfigured Access Controls
    • Laravel
      • Debug Mode Enabled
      • Laravel Telescope Enabled In Production
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Services
  2. Drupal

Drupal Nodes with Misconfigured Access Controls

PreviousDrupalNextLaravel

Last updated 12 months ago

Was this helpful?

Description:

The way Drupal is built is made for flexibility, all content are stored separately in a new node. Including a page, an article, topic or blog entry. Nodes can contain sensitive data and if permissions are not enforced, they can leak private data to unauthorized users.

Testing:

Each node gets an individual ID assigned, in a black-box scenario where you have limited access to amount of nodes available. It is recommended to check thousands of IDs by making use of targeted bruteforcing To do so, replace the positional {ID} parameter and replace it with a numerical value (for example: 1):

/node/{ID}

Keep incrementing the ID until you come an existing node ID and examine the response manually.

Remediation:

Introduce effective access controls for each node.

Potential Impact:

Drupal Nodes can expose a variety of potential sensitive data, for example private data from clients or other users as well as internal pages only meant to be accessed by site administrators.

References:

https://twitter.com/adrien_jeanneau/status/1273952564430725123
https://www.drupal.org/docs/core-modules-and-themes/core-modules/node-module/about-nodes
https://web.archive.org/web/20220203132234/https://0xblackbird.github.io/blog/post1