Drupal Fixes Critical OpenID Bug

Drupal has patched several vulnerabilities in versions 6 and 7 of the content-management system, including a critical bug that enables an attacker to hijack administrators’ accounts and take arbitrary actions on target sites.

That vulnerability lies in the OpenID module in Drupal that enables users to authenticate themselves using the OpenID protocol. The protocol is based on the OAuth 2.0 specification and is used widely around the Web. The Drupal module that implements this functionality contains a bug that allows an attacker to impersonate other users, which is sub-optimal.

The bug is present in versions 6 and 7 of Drupal.

“A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts,” the Drupal advisory says.

“This vulnerability is mitigated by the fact that the victim must have an account with an associated OpenID identity from a particular set of OpenID providers (including, but not limited to, Verisign, LiveJournal, or StackExchange).”

Among the other three vulnerabilities patched in the new releases are two open redirect bugs in Drupal 7. One of the flaws is in the Field UI module, while the other is in the overlay module.

“The Field UI module uses a ‘destinations’ query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks,” the advisory says.

The other open redirect vulnerability is similar.

“The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability,” the advisory says.

The fourth bug is an information disclosure issue that could result in unprivileged users being able to view cached content viewed by other users.

The Drupal developers recommend that users update to version 6.36 or 7.38.

Suggested articles