This article is more than 1 year old

Drupal flicks fix to nix OpenID admin account hijack hole

Verisign, LiveJournal and StackExchange members are your unknown admins

Drupal has shuttered a flaw in its implementation of OpenID that allows attackers to log in as web site administrators.

The flaw (CVE-2015-3234) is the most critical of four and affects versions six and seven of the content management system.

Drupal's security team say attackers can target unpatched systems if they hold an OpenID account.

"A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts," the team wrote in an advisory .

"This vulnerability is mitigated by the fact that the victim must have an account with an associated OpenID identity from a particular set of OpenID providers including, but not limited to, Verisign, LiveJournal, or StackExchange."

Less critical flaws include one (CVE-2015-3232) affecting websites that use the Drupal 7 Field ID module which attackers can use to redirect users to malicious web properties.

Another (CVE-2015-3233) relates to poor validation checks in the overlay module leading to another open direct hole for sites that have enabled the 'access the administrative overlay' permission which will overlay pages as Javascript.

The final vulnerability (CVE-2015-3231) is in an information disclosure hole in Drupal 7 that could cache sensitive data then viewable by a non-priveleged primary user (user 1).

The risk from that hole is minimal however since it affects only sites that use the Render Cache module or equivalent custom code, and have assigned user 1 as a non-admin account which requires changing the default configuration. ®

More about

TIP US OFF

Send us news


Other stories you might like