According to a security advisory published yesterday, a flaw found in the Drupal core could allow a potential hacker under certain circumstances to bypass security restrictions by forging the password reset URLs.
ACCESS BYPASS / PASSWORD RESET URLs VULNERABILITY
Successful exploitation of this Access Bypass vulnerability could leverage the hacker to gain unauthorized access to user accounts without knowing their password.
This vulnerability is considered as moderately critical in which an attacker can remotely trick a registered user of Drupal based website, such as an administrator, into launching a maliciously crafted URL in an attempt to take control of the target server.
AFFECTED DRUPAL WEBSITES
The exploitation of the access bypass vulnerability on Drupal 7 website is possible only if the account importing or programmatically editing process results in the password hash in the database being the same for multiple user accounts.
The websites running Drupal 6 are at greater risk, because the administrators of the websites have created multiple new user accounts protected by the same password.
Moreover, the security vulnerability can also be exploited in the Drupal 6 websites where accounts have been imported or programmatically edited in a way that results in the password hash field in the database being empty for at least for one user account.
"Drupal 6 sites that have empty password hashes, or a password field with a guessable string in the database, are especially prone to this vulnerability," the Drupal security advisory notes. "This could apply to sites that use external authentication so that the password field is set to a fixed, invalid value."
OPEN REDIRECT VULNERABILITY
The affected versions of Drupal CMS are also susceptible to an open redirect vulnerability. Drupal action URLs contain a "destination" parameter in it, which can be used by cyber criminals to redirect users to a third-party location with malicious content.
According to the Drupal team, there are multiple URL-related API functions in affected versions of Drupal 6 and 7 which can be used by attackers into passing through external URLs when not required. This could potentially lead to additional open redirect vulnerabilities.
"This vulnerability is mitigated by the fact that many common uses of the "destination" parameter are not susceptible to the attack," developers note. "However, all confirmation forms built using Drupal 7's form API are vulnerable via the Cancel action that appears at the bottom of the form, and some Drupal 6 confirmation forms are vulnerable too."
The issue is actually serious because Drupal is used to power over 1 billion websites on Internet, which puts Drupal in third place behind the Wordpress and Joomla. Drupal provides a Content management system for websites including MTV, Popular Science, Sony Music, Harvard and MIT.
Website administrators are strongly recommended to take some necessary steps:
- Update to the latest version of Drupal core, i.e. Drupal core 6.35 and Drupal core 7.35
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Do not click on links from unknown sources.
- Do not open email attachments from unknown or untrusted sources.
- Consider implementing file extension whitelists for allowed e-mail attachments.