Multiple Vulnerabilities in Drupal Could Allow for Security Bypass

ITS Advisory Number: 
2015-066
Date(s) Issued: 
Friday, June 19, 2015
Subject: 
Multiple Vulnerabilities in Drupal Could Allow for Security Bypass
Overview: 

Multiple vulnerabilities have been discovered in Drupal core modules. Drupal is an open source content management system (CMS) written in PHP. 

Successful exploitation of these vulnerabilities could allow an unauthorized user to hijack other user accounts - including ones with administrative privileges, allow for user redirection to potentially malicious sites, or disclose private information.

Systems Affected: 
  • Drupal core 6.x versions prior to 6.36
  • Drupal core 7.x versions prior to 7.38
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Drupal core modules are prone to multiple vulnerabilities. These vulnerabilities are as follows:

  • User impersonation/access bypass in the OpenID module (CVE-2015-3234)
  • Open redirect in Field UI an Overlay modules (CVE-2015-3232, CVE-2015-3233)
  • Information disclosure in the Render cache system (CVE-2015-3231)

Successful exploitation of these vulnerabilities could allow an unauthorized user to hijack other user accounts - including ones with administrative privileges, allow for user redirection to potentially malicious sites, or disclose private information.

Actions: 

We recommend the following actions be taken:

  • Update Drupal core to the latest version, after appropriate testing.
  • Run all software as a non-privileged user to diminish effects of a successful attack.
  • Limit user account privileges to those required only.