Vulnerabilities in Drupal Could Allow for Security-Bypass and Phishing Attacks

ITS Advisory Number: 
2015-030
Date(s) Issued: 
Thursday, March 19, 2015
Subject: 
Vulnerabilities in Drupal Could Allow for Security-Bypass and Phishing Attacks
Overview: 
A vulnerability has been reported in the Drupal core that allows for phishing attacks. Drupal is an open source content management system (CMS) written in PHP. Successful exploitation of this vulnerability results in the attacker gaining unauthorized access to the CMS and after persuading a user to follow a crafted URI, it takes the user to the attacker controlled site for phishing and other types of attacks.
Systems Affected: 
  • Drupal core 6.x versions prior to 6.35
  • Drupal core 7.x versions prior to 7.35
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 
A vulnerability has been discovered in the Drupal core that may allow an attacker to bypass security restrictions because of a failure to protect the reset password URLs. Another vulnerability that exists in the affected versions mentioned above is a failure to sanitize URLs that are supplied by the user for the “destination” parameter in a query string. This allows the attacker to place a crafted URI into the “destination” parameter and persuade a user to follow it.
Actions: 

We recommend the following actions be taken:

  • Update to the latest version of Drupal
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to click links from unknown sources, or to click links without verifying the intended destination.
  • Do not open email attachments from unknown or untrusted sources.
  • Consider implementing file extension whitelists for allowed e-mail attachments.