Security Advisories

Subscribe to Security Advisories feed
Updated: 1 hour 14 min ago

Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-002

June 17, 2015 - 9:12am
Description Impersonation (OpenID module - Drupal 6 and 7 - Critical)

A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts.

This vulnerability is mitigated by the fact that the victim must have an account with an associated OpenID identity from a particular set of OpenID providers (including, but not limited to, Verisign, LiveJournal, or StackExchange).

Open redirect (Field UI module - Drupal 7 - Less critical)

The Field UI module uses a "destinations" query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

This vulnerability is mitigated by the fact that only sites with the Field UI module enabled are affected.

Drupal 6 core is not affected, but see the similar advisory for the Drupal 6 contributed CCK module: SA-CONTRIB-2015-126

Open redirect (Overlay module - Drupal 7 - Less critical)

The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.

This vulnerability is mitigated by the fact that it can only be used against site users who have the "Access the administrative overlay" permission, and that the Overlay module must be enabled.

Information disclosure (Render cache system - Drupal 7 - Less critical)

On sites utilizing Drupal 7's render cache system to cache content on the site by user role, private content viewed by user 1 may be included in the cache and exposed to non-privileged users.

This vulnerability is mitigated by the fact that render caching is not used in Drupal 7 core itself (it requires custom code or the contributed Render Cache module to enable) and that it only affects sites that have user 1 browsing the live site. Exposure is also limited if an administrative role has been assigned to the user 1 account (which is done, for example, by the Standard install profile that ships with Drupal core).

CVE identifier(s) issued
  • Impersonation (OpenID module - Drupal 6 and 7): CVE-2015-3234
  • Open redirect (Field UI module - Drupal 7): CVE-2015-3232
  • Open redirect (Overlay module - Drupal 7: CVE-2015-3233
  • Information disclosure (Render cache system - Drupal 7): CVE-2015-3231
Versions affected
  • Drupal core 6.x versions prior to 6.36
  • Drupal core 7.x versions prior to 7.38
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

Impersonation in the OpenID module:

Open redirect in the Field UI module:

Open redirect in the Overlay module:

Information disclosure in the render cache system:

Fixed by

Impersonation in the OpenID module:

Open redirect in the Field UI module:

Open redirect in the Overlay module:

Information disclosure in the render cache system:

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x

Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2015-001

March 18, 2015 - 11:04am
Description Access bypass (Password reset URLs - Drupal 6 and 7)

Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password.

In Drupal 7, this vulnerability is mitigated by the fact that it can only be exploited on sites where accounts have been imported or programmatically edited in a way that results in the password hash in the database being the same for multiple user accounts. In Drupal 6, it can additionally be exploited on sites where administrators have created multiple new user accounts with the same password via the administrative interface, or where accounts have been imported or programmatically edited in a way that results in the password hash in the database being empty for at least one user account.

Drupal 6 sites that have empty password hashes, or a password field with a guessable string in the database, are especially prone to this vulnerability. This could apply to sites that use external authentication so that the password field is set to a fixed, invalid value.

Open redirect (Several vectors including the "destination" URL parameter - Drupal 6 and 7)

Drupal core and contributed modules frequently use a "destination" query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

In addition, several URL-related API functions in Drupal 6 and 7 can be tricked into passing through external URLs when not intending to, potentially leading to additional open redirect vulnerabilities.

This vulnerability is mitigated by the fact that many common uses of the "destination" parameter are not susceptible to the attack. However, all confirmation forms built using Drupal 7's form API are vulnerable via the Cancel action that appears at the bottom of the form, and some Drupal 6 confirmation forms are vulnerable too.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Drupal core 6.x versions prior to 6.35
  • Drupal core 7.x versions prior to 7.35
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by

Access bypass via password reset URLs:

Open redirect via vectors including the "destination" URL parameter:

Fixed by

Access bypass via password reset URLs:

Open redirect via vectors including the "destination" URL parameter:

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity