Drupal Dagger is a dork discovered by my Team Mate Mohan Of TPH Infosec. During his recon, Mohan discovered this dork which let him bypass the login and also reset the password random drupal website users without asking for old password. Here, I will explain you in detail, how this dork works and how to stop this.
What is Drupal Dagger :
Earlier, several drupal users have reported that, when they opt for resetting their password, they stuck in a loop which kept asking for the old password.
This happened do to a bug in Drupal and was reported few years ago. To rectify this, Drupal users were suggested to use several modules. One among them is PRLP (Password Reset Landing Page) module.
Whenthis module is installed, If a user requests a new password, the requested user will be mailed with a one time login link. These link comes with a expiry date and time.
Thisone time login link enabled the users to change their passwords without asking for current password and also let them to login to their account without changing their password.
Accidentally, these One Time Login Links are indexed by Search Engines and this allowed any user to login as other user and change their passwords using this One Time Login Link.
Drupaldagger is a dork that finds the indexed One Time Login Links. This dork affected most of the Drupal sites which has this module installed. Now, let’s have a look at the attack scenario behind this dork.
Bypass Login Pages using Drupal Dagger :
Dork : intext:”This login can be used only once “
Searching this dork in google will load a list of Drupal websites that are vulnerable.
Choose one among them and get into it. You’ll be prompted with a message stating that
“This is a one-time login for *username* and will expire on Tue, 03/06/2018 – 06:20.Click on this button to log in to the site and change your password.This login can be used only once.”
Below this message, you can find a “Login” button. Hit that and you’ll be successfully logged into the user account. You can now change their password, as well as have all other rights of the user.
Forexample, I have tried logging into different user accounts of different sites. In some websites, I had access to their private messages they sent as well recieved.
On the other hands, Government websites that are running on Drupal were also found vulnerable. After logging into several websites, I was able to view all their data in plain text.
Also I had all the rights of that user account including password changing functionality without even asking for old password.