Drupal flaw allows reset password by crafting specific URLs

Pierluigi Paganini March 20, 2015

The Drupal team issued an update to fix a flaw that allows attackers reset password by crafting URLs under certain circumstances.

Security experts discovered two critical vulnerabilities in Drupal CMS, one of them is an Access bypass (Password reset URLs) vulnerability that could be exploited to forge Password Reset URLs.

“Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user’s account without knowing the account’s password.” reports Drupal in a security advisory.

The vulnerabilities affect Drupal 6.x versions prior to 6.35 and Drupal 7.x versions prior to 7.35, it has been estimated nearly 983,000 installations of a total 1.1 million websites are exposed to the risks

Bad actors can leverage the security issue to access user accounts without knowing their password. Drupal Versions 6.35 and 7.35 are available for download to fix the two critical flaws.

drupal flaws 2

As explained by the Drupal team in a security advisory, the websites where the same password is used for multiple accounts resulted more vulnerable to cyber attacks. The flaws are exploitable only under specific conditions. In Drupal 7, the flaw is exploitable only if website administrators import or programmatically edit accounts with the same password hash for multiple accounts. In Drupal 6, the vulnerability is also exploitable by attackers if the website administrators create multiple new user accounts with the same password, or if the password hash field in the database is empty.

“Drupal 6 sites that have empty password hashes, or a password field with a guessable string in the database, are especially prone to this vulnerability. This could apply to sites that use external authentication so that the password field is set to a fixed, invalid value,” added Drupal.

The second flaw is an Open redirect vulnerability, the attackers manipulate the “destination” parameter to exploit the open redirect vulnerability. The “destination” parameter is used in URLs to redirect website visitors to a new page after they have completed an action, in this specific case the attacker can use the parameter to craft an URL  that will trick users into being redirected to a 3rd party website.

“Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks,” Drupal said. “In addition, several URL-related API functions in Drupal 6 and 7 can be tricked into passing through external URLs when not intending to, potentially leading to additional open redirect vulnerabilities.”

Users have to update their Drupal websites urgently.

Pierluigi Paganini

(Security Affairs – Drupal, CMS)



you might also like

leave a comment