Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 19 Mar 2015 20:45:09 -0400 (EDT)
Subject: Re: CVE requests for Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2015-001

Hash: SHA1

> Access bypass (Password reset URLs - Drupal 6 and 7)
> Password reset URLs can be forged under certain circumstances,
> allowing an attacker to gain access to another user's account without
> knowing the account's password.

Based on the
changes, we think that there is a single underlying issue in which the
attack vector seems to be essentially expressed by:

  $attack_reset_url = str_replace("user/reset/{$user1->id()}",
                                  "user/reset/{$user2->id()}", $reset_url);

regardless of the Drupal version -- i.e., 6.x, 7.x, or an unreleased
8.x version. (For purposes of determining the correct number of CVE
IDs, it is probably not relevant that 6.x and 7.x have different ways
in which problematic accounts may have been created.)

Use CVE-2015-2559.

> Open redirect (Several vectors including the "destination" URL
> parameter - Drupal 6 and 7)
> Under certain circumstances, malicious users can use the destination
> URL parameter to construct a URL that will trick users into being
> redirected to a 3rd party website, thereby exposing the users to
> potential social engineering attacks.

This one might be more complicated for CVE assignment. If a single
change to a single piece of code addressed all of these open-redirect
issues, then a single CVE ID may be possible. However, it appears that
the situation might be a series of related problems that were found in
different places (and possibly different versions) by different
people. lists two external
discoverers, as well as discoverers from the Drupal Security Team. As
an example, suppose that there were three independent reports, and
each report included three unique affected parameters: one of which
existed only in 6.x, one of which existed only in 7.x, and one of
which existed in both 6.x and 7.x. That would have 9 CVE IDs.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.