In this post we are going to describe how to take advantage of Drupal Views Module Information Disclosure Vulnerability.

As everybody knows, Drupal "is a free and open-source content management framework (CMF) written in PHP and distributed under the GNU General Public License. It is used as a back-end system for at least 2.1% of all websites worldwide ranging from personal blogs to corporate, political, and government sites... It is also used for knowledge management and business collaboration."

First of all, we need to detect some Drupal Installation. We are going to use Shodan. You can use the next query:

After you've selected one of them, we are going to look for all users in the website. You can check the next query:
http://URL/?q=admin/views/ajax/autocomplete/user/e 

In this case, you can see all users that containing "e" in the username.



Then, we are going to go to the login page on http://URL/user/login and we are going to try to login with some of this users. You can use a Bruteforece with Backtrack using Hydra for example... In this case, We'll try manually.


Well, we are lucky guys!!! We are in the Ecopol's profile!!!! In this case, the username and the password were the same!!!


And... Can I add/edit/remove content of this Drupal Website? Just let me see...


Seems that if...

If you want, you can use a Script including in Backtrack called DPScan.py and you can get a list with every users on the Drupal Website.

But we are on the right side, in the Security Engineer or System Administrator side... What can we do? In this link, you can get the patch...

The best options to avoid this, always will be to have a complex password  requirement...