[arch-security] [ASA-201503-18] drupal: multiple issues

Fri Mar 20 14:51:42 UTC 2015

Arch Linux Security Advisory ASA-201503-18
==========================================

Severity: Medium
Date    : 2015-03-20
CVE-ID  : CVE-2015-2559
Package : drupal
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package drupal before version 7.35-1 is vulnerable to access bypass
and open redirects.

Resolution
==========

Upgrade to 7.35-1.

# pacman -Syu "drupal>=7.35-1"

The problems have been fixed upstream in version 7.35.

Workaround
==========

None.

Description
===========

- CVE-2015-2559 (access bypass)

Password reset URLs can be forged under certain circumstances, allowing
an attacker to gain access to another user's account without knowing the
account's password.
In Drupal 7, this vulnerability is mitigated by the fact that it can
only be exploited on sites where accounts have been imported or
programmatically edited in a way that results in the password hash in
the database being the same for multiple user accounts.

- None (open redirect)

Under certain circumstances, malicious users can use the destination URL
parameter to construct a URL that will trick users into being redirected
to a 3rd party website, thereby exposing the users to potential social
engineering attacks.

Impact
======

A remote attacker may gain access to another user's account or take
advantage of open redirect issues to trick users into being redirected
to a 3rd party website.

References
==========

https://www.drupal.org/SA-CORE-2015-001
http://www.openwall.com/lists/oss-security/2015/03/20/2
https://security-tracker.debian.org/tracker/CVE-2015-2559

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150320/6a128262/attachment.asc>