Multiple vulnerabilities in Drupal Core could allow Unauthorized Access (DRUPAL-SA-CORE-2014-006)

ITS Advisory Number: 
2014-100
Date(s) Issued: 
Monday, November 24, 2014
Subject: 
Multiple vulnerabilities in Drupal Core could allow Unauthorized Access (DRUPAL-SA-CORE-2014-006)
Overview: 

Vulnerabilities have been reported in Drupal 6 and 7 core that could allow unauthorized access. Drupal is an open source content management system (CMS) written in PHP. Successful exploitation could occur if an attacker uses a specially crafted request to give a user access to another user's session, allowing an attacker to hijack a random session of the other user. This could allow the attacker to gain unauthorized access to information or services in a computer system.

Systems Affected: 

Drupal core 6.x versions prior to 6.34
Drupal core 7.x versions prior to 7.34

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Vulnerabilities have been discovered in the Drupal 6 and 7 core which could allow session hijacking. Specifically, the vulnerabilities are:

Due to the way certain Drupal 7 sites serve both HTTP and HTTPS content ("mixed-mode") a specially crafted request could allow unauthorized access to information or services in a computer system. Other attack vectors with this vulnerability could exist in Drupal 6 and Drupal 7 but details are unknown at this time.
Drupal 7 password hashing API could allow an attacker to send specially crafted requests resulting in CPU and memory exhaustion causing denial of service.

Actions: 

Update to a non-vulnerable version of Drupal core.
Remind users not to click links from unknown sources, or to click links without verifying the intended destination.
Do not open email attachments from unknown or untrusted sources
Consider implementing file extension whitelists for allowed email attachments