Drupal flicks fix to nix OpenID admin account hijack hole
Verisign, LiveJournal and StackExchange members are your unknown admins
Drupal has shuttered a flaw in its implementation of OpenID that allows attackers to log in as web site administrators.
The flaw (CVE-2015-3234) is the most critical of four and affects versions six and seven of the content management system.
Drupal's security team say attackers can target unpatched systems if they hold an OpenID account.
"A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts," the team wrote in an advisory .
"This vulnerability is mitigated by the fact that the victim must have an account with an associated OpenID identity from a particular set of OpenID providers including, but not limited to, Verisign, LiveJournal, or StackExchange."
Less critical flaws include one (CVE-2015-3232) affecting websites that use the Drupal 7 Field ID module which attackers can use to redirect users to malicious web properties.
The final vulnerability (CVE-2015-3231) is in an information disclosure hole in Drupal 7 that could cache sensitive data then viewable by a non-priveleged primary user (user 1).
The risk from that hole is minimal however since it affects only sites that use the Render Cache module or equivalent custom code, and have assigned user 1 as a non-admin account which requires changing the default configuration. ®