oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE requests for Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2015-001

From: cve-assign () mitre org
Date: Thu, 19 Mar 2015 20:45:09 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Access bypass (Password reset URLs - Drupal 6 and 7)
Password reset URLs can be forged under certain circumstances,
allowing an attacker to gain access to another user's account without
knowing the account's password.


Based on the
http://cgit.drupalcode.org/drupal/commit/?id=8e54eca05a65c6231b02510e1917af0c9191e549
changes, we think that there is a single underlying issue in which the
attack vector seems to be essentially expressed by:

  $attack_reset_url = str_replace("user/reset/{$user1->id()}",
                                  "user/reset/{$user2->id()}", $reset_url);

regardless of the Drupal version -- i.e., 6.x, 7.x, or an unreleased
8.x version. (For purposes of determining the correct number of CVE
IDs, it is probably not relevant that 6.x and 7.x have different ways
in which problematic accounts may have been created.)

Use CVE-2015-2559.



Open redirect (Several vectors including the "destination" URL
parameter - Drupal 6 and 7)
Under certain circumstances, malicious users can use the destination
URL parameter to construct a URL that will trick users into being
redirected to a 3rd party website, thereby exposing the users to
potential social engineering attacks.


This one might be more complicated for CVE assignment. If a single
change to a single piece of code addressed all of these open-redirect
issues, then a single CVE ID may be possible. However, it appears that
the situation might be a series of related problems that were found in
different places (and possibly different versions) by different
people. https://www.drupal.org/SA-CORE-2015-001 lists two external
discoverers, as well as discoverers from the Drupal Security Team. As
an example, suppose that there were three independent reports, and
each report included three unique affected parameters: one of which
existed only in 6.x, one of which existed only in 7.x, and one of
which existed in both 6.x and 7.x. That would have 9 CVE IDs.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVC20XAAoJEKllVAevmvmsY2UH/3H4RpFVSHhCL/TT1XA2aV9q
IqXTfWqJb2CXDbb/zPFPyf5fWihmwB222+mLgIUfxuGIJ3QM2/rr39rYFQmMEvrG
dkVOBiAb8napQy4hmpIOzcqav9PUBLIocRVM1Z+qDC8GM0HC55RgZyKVRKlp8UWF
ljIyfMKJI22SR5SQNl/kyaf3NYx7cpSNq8G45mn12aegUgifrHL/HEiF+E1SerjQ
N14t4HVCDoaIMCA5DIclIyLGeSJQrBuP4kvJsQA9P951ksk9K0GU5X06tlCQRRTg
jN6uZ8a2LZ1zGydXsLdnk+EtY2Tf69Cdbs9xUJ4rd2W9vhhF3zWAoaviDxvEcKw=
=bJNA
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: