CVE-2024-45440 Overview
CVE-2024-45440 is an Information Disclosure vulnerability affecting Drupal's core/authorize.php component. The vulnerability allows Full Path Disclosure when the hash_salt configuration is set to use file_get_contents() on a file that does not exist. This occurs even when error logging is explicitly disabled, potentially exposing sensitive server path information to attackers.
Critical Impact
Attackers can obtain full server path information which may be leveraged to facilitate further attacks, including targeted exploitation of other vulnerabilities that require knowledge of the application's file system structure.
Affected Products
- Drupal 11.x-dev
- Drupal Drupal (version 2023-05-09)
Discovery Timeline
- 2024-08-29 - CVE CVE-2024-45440 published to NVD
- 2025-04-21 - Last updated in NVD database
Technical Details for CVE-2024-45440
Vulnerability Analysis
This vulnerability stems from improper error handling in Drupal's authorization subsystem. When the hash_salt configuration directive is configured to retrieve its value from a file using PHP's file_get_contents() function, and the specified file does not exist, Drupal fails to properly suppress error messages. This results in the full server path being disclosed in error output, regardless of the site's error logging configuration settings.
The information disclosure vulnerability (CWE-209) bypasses Drupal's error suppression mechanisms, creating an unintended information leakage channel. An exploit for this vulnerability is publicly available on Exploit-DB, increasing the risk of opportunistic attacks.
Root Cause
The root cause lies in the error handling logic within core/authorize.php. When hash_salt is configured with a file_get_contents() call pointing to a non-existent file, PHP generates a warning or error that includes the full filesystem path. Drupal's error suppression settings (even when set to "None") do not intercept this specific error condition, allowing the path information to leak to the client response.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can remotely trigger this vulnerability by accessing the core/authorize.php endpoint when the misconfiguration exists. The attacker does not need any special privileges to exploit this flaw—simply sending a request to the vulnerable endpoint is sufficient to receive path disclosure information in the response.
The disclosed path information can be combined with other vulnerabilities to mount more sophisticated attacks, such as Local File Inclusion or targeted exploitation of known vulnerabilities in specific directory structures.
Detection Methods for CVE-2024-45440
Indicators of Compromise
- Unusual or repeated requests to /core/authorize.php from unknown sources
- Error responses containing full filesystem paths in server logs or client responses
- Evidence of reconnaissance activity targeting Drupal configuration endpoints
Detection Strategies
- Monitor web server access logs for repeated requests to core/authorize.php
- Implement Web Application Firewall (WAF) rules to detect and alert on path disclosure patterns in HTTP responses
- Review Drupal configuration files for hash_salt settings using file_get_contents() with potentially missing files
Monitoring Recommendations
- Enable comprehensive logging for all requests to Drupal core authorization endpoints
- Configure alerting for HTTP responses containing filesystem path patterns (e.g., /var/www/, /home/, Windows drive letters)
- Regularly audit Drupal settings.php for secure hash_salt configuration practices
How to Mitigate CVE-2024-45440
Immediate Actions Required
- Review and update the hash_salt configuration in settings.php to use a static string value rather than file_get_contents()
- Ensure any file referenced by hash_salt exists and is readable by the web server
- Implement a Web Application Firewall rule to filter responses containing path information
- Restrict access to core/authorize.php if not required for your deployment
Patch Information
Drupal has acknowledged this issue in Issue #3457781. Administrators should monitor the official Drupal security advisories and apply patches when available. Additional technical details about this vulnerability are available from Sens Cybersecurity.
Workarounds
- Configure hash_salt with a static random string directly in settings.php instead of using file_get_contents()
- If using file-based hash_salt, ensure the referenced file exists and contains valid content before deployment
- Implement server-level error suppression as an additional layer (e.g., display_errors = Off in PHP configuration)
- Use a reverse proxy or WAF to sanitize responses and strip any path disclosure information
# Configuration example - Update settings.php with a secure static hash_salt
# Replace the file_get_contents() call with a static random string
# In settings.php, change from:
# $settings['hash_salt'] = file_get_contents('/path/to/salt.txt');
# To:
# $settings['hash_salt'] = 'your-secure-random-string-at-least-64-characters-long';
# Verify the file permissions on settings.php
chmod 444 sites/default/settings.php
# Verify error display is disabled in php.ini
grep -E "^display_errors" /etc/php/*/apache2/php.ini
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
