Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 19 Mar 2015 20:45:09 -0400 (EDT)
From: cve-assign@...re.org
To: pere@...a.cat
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE requests for Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2015-001

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Access bypass (Password reset URLs - Drupal 6 and 7)
> Password reset URLs can be forged under certain circumstances,
> allowing an attacker to gain access to another user's account without
> knowing the account's password.

Based on the
http://cgit.drupalcode.org/drupal/commit/?id=8e54eca05a65c6231b02510e1917af0c9191e549
changes, we think that there is a single underlying issue in which the
attack vector seems to be essentially expressed by:

  $attack_reset_url = str_replace("user/reset/{$user1->id()}",
                                  "user/reset/{$user2->id()}", $reset_url);

regardless of the Drupal version -- i.e., 6.x, 7.x, or an unreleased
8.x version. (For purposes of determining the correct number of CVE
IDs, it is probably not relevant that 6.x and 7.x have different ways
in which problematic accounts may have been created.)

Use CVE-2015-2559.


> Open redirect (Several vectors including the "destination" URL
> parameter - Drupal 6 and 7)
> Under certain circumstances, malicious users can use the destination
> URL parameter to construct a URL that will trick users into being
> redirected to a 3rd party website, thereby exposing the users to
> potential social engineering attacks.

This one might be more complicated for CVE assignment. If a single
change to a single piece of code addressed all of these open-redirect
issues, then a single CVE ID may be possible. However, it appears that
the situation might be a series of related problems that were found in
different places (and possibly different versions) by different
people. https://www.drupal.org/SA-CORE-2015-001 lists two external
discoverers, as well as discoverers from the Drupal Security Team. As
an example, suppose that there were three independent reports, and
each report included three unique affected parameters: one of which
existed only in 6.x, one of which existed only in 7.x, and one of
which existed in both 6.x and 7.x. That would have 9 CVE IDs.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVC20XAAoJEKllVAevmvmsY2UH/3H4RpFVSHhCL/TT1XA2aV9q
IqXTfWqJb2CXDbb/zPFPyf5fWihmwB222+mLgIUfxuGIJ3QM2/rr39rYFQmMEvrG
dkVOBiAb8napQy4hmpIOzcqav9PUBLIocRVM1Z+qDC8GM0HC55RgZyKVRKlp8UWF
ljIyfMKJI22SR5SQNl/kyaf3NYx7cpSNq8G45mn12aegUgifrHL/HEiF+E1SerjQ
N14t4HVCDoaIMCA5DIclIyLGeSJQrBuP4kvJsQA9P951ksk9K0GU5X06tlCQRRTg
jN6uZ8a2LZ1zGydXsLdnk+EtY2Tf69Cdbs9xUJ4rd2W9vhhF3zWAoaviDxvEcKw=
=bJNA
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.