Security experts discovered two critical vulnerabilities in Drupal CMS, one of them is an Access bypass (Password reset URLs) vulnerability that could be exploited to forge Password Reset URLs.
“Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user’s account without knowing the account’s password.” reports Drupal in a security advisory.
The vulnerabilities affect Drupal 6.x versions prior to 6.35 and Drupal 7.x versions prior to 7.35, it has been estimated nearly 983,000 installations of a total 1.1 million websites are exposed to the risks
Bad actors can leverage the security issue to access user accounts without knowing their password. Drupal Versions 6.35 and 7.35 are available for download to fix the two critical flaws.
As explained by the Drupal team in a security advisory, the websites where the same password is used for multiple accounts resulted more vulnerable to cyber attacks. The flaws are exploitable only under specific conditions. In Drupal 7, the flaw is exploitable only if website administrators import or programmatically edit accounts with the same password hash for multiple accounts. In Drupal 6, the vulnerability is also exploitable by attackers if the website administrators create multiple new user accounts with the same password, or if the password hash field in the database is empty.
“Drupal 6 sites that have empty password hashes, or a password field with a guessable string in the database, are especially prone to this vulnerability. This could apply to sites that use external authentication so that the password field is set to a fixed, invalid value,” added Drupal.
The second flaw is an Open redirect vulnerability, the attackers manipulate the “destination” parameter to exploit the open redirect vulnerability. The “destination” parameter is used in URLs to redirect website visitors to a new page after they have completed an action, in this specific case the attacker can use the parameter to craft an URL that will trick users into being redirected to a 3rd party website.
“Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks,” Drupal said. “In addition, several URL-related API functions in Drupal 6 and 7 can be tricked into passing through external URLs when not intending to, potentially leading to additional open redirect vulnerabilities.”
Users have to update their Drupal websites urgently.
(Security Affairs – Drupal, CMS)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.