Blog Header Banner

Drupal Web Site Security Alert : Forged Password Reset URLs   no comments

Mar 24, 2015 @ 8:57am cloud security,Web hosting

turnkey_internet_hosts_drupal_web_hostingWhile you may have been urged by Drupal to update your software late in 2014 due to SQL injection attacks in compromised Drupal 7 sites. Drupal has released version 6.35 and 7.35 to address a few newly discovered vulnerabilities within their software.

Listed in an advisory by Drupal’s security team, Drupal stated one of the vulnerabilities they are addressing has allowed password reset URLs to be forged. This allows malicious users to gain access without knowing the password.
In Drupal 7 this vulnerability is segragated to sites where accounts have been imported or edited in ways that will result in the password hash, in the database being the same for multiple user accounts.

In Drupal 6 this vunlnerability can be exploited on sites where administrators have created multiple user accounts with the same password. As well as where accounts have been imported or edited in ways that will result in the password hash, in the database being empty for at least one user account. Drupal 6 sites having an empty password hash, or a password with an easily compromised string in the database are extreamly prone to this vulnerability.

The second vulnerability Drupal’s team has patched is the ability for malicous users to devise a URL, sending visitors to a 3rd party website.

Drupal modules use a destination query to redirect users to a new destination after completing an action. Malicious users can use this destination parameter to construct a URL that will fool users by redirected them to a 3rd party website. Several URL related API functions in Drupal 6 and 7 can be fooled into passing through external URLs when that was not the intention, leading to open redirect vulnerabilities.

This vulnerability is has been down played as a large amount of the destination parameter are not vulnerable to the attack. Although, all confirmation forms built using Drupal 7’s form API are vulnerable! Drupal has also stated some Drupal 6 confirmation forms are vulnerable too.

Drupal versions affected:

Drupal core 6.x versions prior to 6.35

Drupal core 7.x versions prior to 7.35

How to rectify these vulnerabilities? Update to the latest versions.

If you use the Drupal 6.x upgrade to Drupal core 6.35

If you use the Drupal 7.x upgrade to Drupal core 7.35

For those using TurnKey Internet’s Web Hosting with Drupal can simply login to your cPanel control panel, click on the Softaculous icon, and update your drupal version from there as well as from the Drupal Control panel of your installated copy on your web site.  If any questions contact our customer service team, or keep posted on our help desk at http://helpdesk.turnkeyinternet.net/

Share : Facebooktwitterredditlinkedinmail Follow Us : Facebooktwitterlinkedinyoutubeinstagram

Written by admin on March 24th, 2015

Tagged with , , , , ,

Leave a Reply