Vulnerabilities in Drupal Could Allow for Security-Bypass and Phishing Attacks
MS-ISAC ADVISORY NUMBER:2015-031
A vulnerability has been reported in the Drupal core that could allow for phishing attacks. Drupal is an open source content management system (CMS) written in PHP. Successful exploitation of this vulnerability could result in the attacker gaining unauthorized access to the CMS and after persuading a user to follow a crafted URI, it would take the user to the attacker controlled site for phishing and other types of attacks.
There is no known proof-of-concept code available at this time.
- Drupal core 6.x versions prior to 6.35
- Drupal core 7.x versions prior to 7.35
- Large and medium government entities: HIGH
- Small government entities: HIGH
- Large and medium business entities: HIGH
- Small business entities: HIGH
A vulnerability has been discovered in the Drupal core that may allow an attacker to bypass security restrictions because of a failure to protect the reset password URLs. Another vulnerability that exists in the affected versions mentioned above is a failure to sanitize URLs that are supplied by the user for the “destination” parameter in a query string. This allows the attacker to place a crafted URI into the “destination” parameter and persuade a user to follow it.
We recommend the following actions be taken:
Update to the latest version of Drupal core.
Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
Remind users not to click links from unknown sources, or to click links without verifying the intended destination.
Do not open email attachments from unknown or untrusted sources.
Consider implementing file extension whitelists for allowed e-mail attachments.