CVE-2024-45440
📋 TL;DR
This vulnerability in Drupal 11.x-dev allows Full Path Disclosure when the hash_salt configuration points to a non-existent file. Attackers can exploit this to reveal the server's full filesystem path, which could aid in further attacks. Only Drupal 11.x-dev installations with misconfigured hash_salt settings are affected.
💻 Affected Systems
- Drupal
📦 What is this software?
Drupal by Drupal
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain full server path information, enabling more targeted attacks like directory traversal or information gathering for exploitation chains.
Likely Case
Information disclosure revealing server directory structure, potentially exposing sensitive configuration details or aiding in reconnaissance.
If Mitigated
Minimal impact with proper error handling and configuration validation in place.
🎯 Exploit Status
Exploitation requires specific misconfiguration but is straightforward once conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Drupal 11.x-dev with commit addressing the issue
Vendor Advisory: https://www.drupal.org/project/drupal/issues/3457781
Restart Required: No
Instructions:
1. Update to latest Drupal 11.x-dev version. 2. Ensure hash_salt in settings.php uses a valid string value, not file_get_contents(). 3. Verify error handling is properly configured.
🔧 Temporary Workarounds
Fix hash_salt configuration
allEnsure hash_salt in settings.php contains a proper string value instead of file_get_contents() call.
Edit settings.php and replace: $settings['hash_salt'] = file_get_contents('/path/to/file'); with: $settings['hash_salt'] = 'your-secure-random-string-here';
Enable proper error handling
allConfigure Drupal to suppress error messages in production.
In settings.php ensure: $config['system.logging']['error_level'] = 'hide';
🧯 If You Can't Patch
- Ensure hash_salt configuration uses a valid string value, not file_get_contents().
- Implement web application firewall rules to block requests attempting path disclosure.
🔍 How to Verify
Check if Vulnerable:
Check if settings.php contains $settings['hash_salt'] = file_get_contents() pointing to a non-existent file and test error responses.Check Version:
drush status | grep 'Drupal version' or check core/lib/Drupal.phpVerify Fix Applied:
Verify hash_salt uses a string value and test that no path information is disclosed in error responses.📡 Detection & Monitoring
Log Indicators:
- PHP warnings about file_get_contents() failures
- Error logs containing full path disclosures
Network Indicators:
- HTTP responses containing server path information in error messages
SIEM Query:
web_logs WHERE message CONTAINS 'file_get_contents' OR message CONTAINS '/var/www' OR message CONTAINS full path patterns