Exploit the possiblities

Drupal Core 7.x Denial Of Service / Access Bypass

Drupal Core 7.x Denial Of Service / Access Bypass
Posted May 3, 2012
Site drupal.org

Core functionality of Drupal 7.x suffers from denial of service and access bypass vulnerabilities.

tags | advisory, denial of service, vulnerability
advisories | CVE-2012-1588, CVE-2012-1589, CVE-2012-1590, CVE-2012-1591
MD5 | 3415ff0111c0f267a36bbbfdaedcd904

Drupal Core 7.x Denial Of Service / Access Bypass

Change Mirror Download
View online: http://drupal.org/node/1557938

* Advisory ID: DRUPAL-SA-CORE-2012-002
* Project: Drupal core [1]
* Version: 7.x
* Date: 2012-May-2
* Security risk: Critical [2]
* Exploitable from: Remote
* Vulnerability: Denial of Service, Access bypass

-------- DESCRIPTION
---------------------------------------------------------

.... Denial of Service

CVE: CVE-2012-1588
Drupal core's text filtering system provides several features including
removing inappropriate HTML tags and automatically linking content that
appears to be a link. A pattern in Drupal's text matching was found to be
inefficient with certain specially crafted strings. This vulnerability is
mitigated by the fact that users must have the ability to post content sent
to the filter system such as a role with the "post comments" or "Forum topic:
Create new content" permission.

.... Unvalidated form redirect

CVE: CVE-2012-1589
Drupal core's Form API allows users to set a destination, but failed to
validate that the URL was internal to the site. This weakness could be abused
to redirect the login from to a remote site with a malicious script that
harvests the login credentials and redirects to the live site. This
vulnerability is mitigated only by the end user's ability to recognize a URL
with malicious query parameters to avoid the social engineering required to
exploit the problem.

.... Access bypass - forum listing

CVE: CVE-2012-1590
Drupal core's forum lists fail to check user access to nodes when displaying
them in the forum overview page. If an unpublished node was the most recently
updated in a forum then users who should not have access to unpublished forum
posts were still be able to see meta-data about the forum post such as the
post title.

.... Access bypass - private images

CVE: CVE-2012-1591
Drupal core provides the ability to have private files, including images, and
Image Styles which create derivative images from an original image that may
differ, for example, in size or saturation. Drupal core failed to properly
terminate the page request for cached image styles allowing users to access
image derivatives for images they should not be able to view. Furthermore,
Drupal didn't set the right headers to prevent image styles from being cached
in the browser.

.... Access bypass - content administration

CVE: Requested.
Drupal core provides the ability to list nodes on a site at admin/content.
Drupal core failed to confirm a user viewing that page had access to each
node in the list. This vulnerability only concerns sites running a
contributed node access module and is mitigated by the fact that users must
have a role with the "view content overview" permission. Unpublished nodes
were not displayed to users who only had the "view content overview"
permission.

-------- VERSIONS AFFECTED
---------------------------------------------------

* Drupal core 7.x versions prior to 7.13.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

* If you use Drupal 7.x, upgrade to Drupal core 7.13 [3]

Also see the Drupal core [4] project page.

-------- REPORTED BY
---------------------------------------------------------

* The Denial of Service vulnerability was reported by Jay Wineinger [5] and
Lin Clark [6].
* The unvalidated form redirect vulnerability was reported by Károly
Négyesi [7] of the Drupal Security Team.
* The access bypass in forum listing vulnerability was reported by Glen W
[8].
* The access bypass for private images vulnerability was reported by frega
[9], Andreas Gonell [10], Jeremy Meier [11] and Xenza [12].
* The access bypass for the content administration vulnerability was
reported by Jennifer Hodgdon [13].

-------- FIXED BY
------------------------------------------------------------

* The Denial of Service was fixed by Károly Négyesi [14] of the Drupal
Security Team.
* The unvalidated form redirect was fixed by Wolfgang Ziegler [15] and
Stéphane Corlosquet [16] of the Drupal Security Team.
* The access bypass in forum listing was fixed by Michael Hess [17] of the
Drupal Security Team, Ben Jeavons [18] of the Drupal Security Team and xjm
[19].
* The Access bypass for private images was fixed by Károly Négyesi [20] of
the Drupal Security Team, Damien Tournoud [21] of the Drupal Security
Team, Greg Knaddison [22] of the Drupal Security Team, Stéphane
Corlosquet [23] of the Drupal Security Team, Xenza [24] and frega [25].
* The Access bypass for content administration was fixed by Jennifer Hodgdon
[26].

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [27].

Learn more about the Drupal Security team and their policies [28], writing
secure code for Drupal [29], and securing your site [30].


[1] http://drupal.org/project/drupal
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/node/1558412
[4] http://drupal.org/project/drupal
[5] http://drupal.org/user/923254
[6] http://drupal.org/user/396253
[7] http://drupal.org/user/9446
[8] http://drupal.org/user/170314
[9] http://drupal.org/user/243377
[10] http://drupal.org/user/414525
[11] http://drupal.org/user/1271628
[12] http://drupal.org/user/1792496
[13] http://drupal.org/user/155601
[14] http://drupal.org/user/9446
[15] http://drupal.org/user/16747
[16] http://drupal.org/user/52142
[17] http://drupal.org/user/102818
[18] http://drupal.org/user/91990
[19] http://drupal.org/user/65776
[20] http://drupal.org/user/9446
[21] http://drupal.org/user/22211
[22] http://drupal.org/user/36762
[23] http://drupal.org/user/52142
[24] http://drupal.org/user/1792496
[25] http://drupal.org/user/243377
[26] http://drupal.org/user/155601
[27] http://drupal.org/contact
[28] http://drupal.org/security-team
[29] http://drupal.org/writing-secure-code
[30] http://drupal.org/security/secure-configuration

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    1 Files
  • 22
    Jan 22nd
    15 Files
  • 23
    Jan 23rd
    12 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close