Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

   Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-002
                               18 June 2015


        AusCERT Security Bulletin Summary

Product:           Drupal
Publisher:         Drupal
Operating System:  UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Administrator Compromise       -- Existing Account            
                   Access Privileged Data         -- Existing Account            
                   Provide Misleading Information -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-3234 CVE-2015-3233 CVE-2015-3232

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

View online: https://www.drupal.org/SA-CORE-2015-002

   * Advisory ID: DRUPAL-SA-CORE-2015-002
   * Project: Drupal core [1]
   * Version: 6.x, 7.x
   * Date: 2015-June-17
   * Security risk: 15/25 ( Critical)
     AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
   * Vulnerability: Access bypass, Information Disclosure, Open Redirect,
     Multiple vulnerabilities

- -------- DESCRIPTION---------------------------------------------------------

.... Impersonation (OpenID module - Drupal 6 and 7 - Critical)

A vulnerability was found in the OpenID module that allows a malicious user
to log in as other users on the site, including administrators, and hijack
their accounts.

This vulnerability is mitigated by the fact that the victim must have an
account with an associated OpenID identity from a particular set of OpenID
providers (including, but not limited to, Verisign, LiveJournal, or

.... Open redirect (Field UI module - Drupal 7 - Less critical)

The Field UI module uses a "destinations" query string parameter in URLs to
redirect users to new destinations after completing an action on a few
administration pages. Under certain circumstances, malicious users can use
this parameter to construct a URL that will trick users into being redirected
to a 3rd party website, thereby exposing the users to potential social
engineering attacks.

This vulnerability is mitigated by the fact that only sites with the Field UI
module enabled are affected.

Drupal 6 core is not affected, but see the similar advisory for the Drupal 6
contributed CCK module: SA-CONTRIB-2015-126 [3]

.... Open redirect (Overlay module - Drupal 7 - Less critical)

The Overlay module displays administrative pages as a layer over the current
page (using JavaScript), rather than replacing the page in the browser
window. The Overlay module does not sufficiently validate URLs prior to
displaying their contents, leading to an open redirect vulnerability.

This vulnerability is mitigated by the fact that it can only be used against
site users who have the "Access the administrative overlay" permission, and
that the Overlay module must be enabled.

.... Information disclosure (Render cache system - Drupal 7 - Less critical)

On sites utilizing Drupal 7's render cache system to cache content on the
site by user role, private content viewed by user 1 may be included in the
cache and exposed to non-privileged users.

This vulnerability is mitigated by the fact that render caching is not used
in Drupal 7 core itself (it requires custom code or the contributed Render
Cache [4] module to enable) and that it only affects sites that have user 1
browsing the live site. Exposure is also limited if an administrative role
has been assigned to the user 1 account (which is done, for example, by the
Standard install profile that ships with Drupal core).

- -------- CVE IDENTIFIER(S) ISSUED--------------------------------------------

   * Impersonation (OpenID module - Drupal 6 and 7): *CVE-2015-3234*
   * Open redirect (Field UI module - Drupal 7): *CVE-2015-3232*
   * Open redirect (Overlay module - Drupal 7: *CVE-2015-3233*
   * Information disclosure (Render cache system - Drupal 7): *CVE-2015-3231*

- -------- VERSIONS AFFECTED---------------------------------------------------

   * Drupal core 6.x versions prior to 6.36
   * Drupal core 7.x versions prior to 7.38

- -------- SOLUTION------------------------------------------------------------

Install the latest version:

   * If you use Drupal 6.x, upgrade to Drupal core 6.36 [5]
   * If you use Drupal 7.x, upgrade to Drupal core 7.38 [6]

Also see the Drupal core [7] project page.

- -------- REPORTED BY---------------------------------------------------------

Impersonation in the OpenID module:

   * Vladislav Mladenov
   * Christian Mainka [8]
   * Christian KoÃ\x{159}mann [9]

Open redirect in the Field UI module:

   * Michael Smith [10]

Open redirect in the Overlay module:

   * Jeroen Vreuls [11]
   * David Rothstein [12] of the Drupal Security Team

Information disclosure in the render cache system:

   * Nathaniel Catchpole [13] of the Drupal Security Team

- -------- FIXED BY------------------------------------------------------------

Impersonation in the OpenID module:

   * Christian Schmidt [14], OpenID module maintainer
   * Christian Mainka [15]
   * Christian KoÃ\x{159}mann [16]

Open redirect in the Field UI module:

   * Yves Chedemois [17], Field UI module maintainer
   * Damien McKenna [18] provisional member of the Drupal Security Team
   * Pere Orga [19] of the Drupal Security Team
   * David Rothstein [20] of the Drupal Security Team
   * Klaus Purer [21] of the Drupal Security Team

Open redirect in the Overlay module:

   * Jeroen Vreuls [22]
   * Ben Dougherty [23] of the Drupal Security Team
   * David Rothstein [24] of the Drupal Security Team
   * Katherine Senzee [25], Overlay module maintainer

Information disclosure in the render cache system:

   * David Rothstein [26] of the Drupal Security Team
   * Wim Leers [27]
   * willzyx [28]

- -------- COORDINATED BY------------------------------------------------------

   * The Drupal Security Team [29]

- -------- CONTACT AND MORE INFORMATION----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [30].

Learn more about the Drupal Security team and their policies [31], writing
secure code for Drupal [32], and  securing your site [33].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [34]

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/2507753
[4] https://www.drupal.org/project/render_cache
[5] https://www.drupal.org/drupal-6.36-release-notes
[6] https://www.drupal.org/drupal-7.38-release-notes
[7] https://www.drupal.org/project/drupal
[8] https://www.drupal.org/user/1096424
[9] https://www.drupal.org/user/3101253
[10] https://www.drupal.org/user/1291584
[11] https://www.drupal.org/user/2700643
[12] https://www.drupal.org/u/david_rothstein
[13] https://www.drupal.org/u/catch
[14] https://www.drupal.org/user/216078
[15] https://www.drupal.org/user/1096424
[16] https://www.drupal.org/user/3101253
[17] https://www.drupal.org/user/39567
[18] https://www.drupal.org/user/108450
[19] https://www.drupal.org/user/2301194
[20] https://www.drupal.org/u/david_rothstein
[21] https://www.drupal.org/u/klausi
[22] https://www.drupal.org/user/2700643
[23] https://www.drupal.org/user/1852732
[24] https://www.drupal.org/u/david_rothstein
[25] https://www.drupal.org/u/ksenzee
[26] https://www.drupal.org/u/david_rothstein
[27] https://www.drupal.org/user/99777
[28] https://www.drupal.org/user/1043862
[29] https://www.drupal.org/security-team
[30] https://www.drupal.org/contact
[31] https://www.drupal.org/security-team
[32] https://www.drupal.org/writing-secure-code
[33] https://www.drupal.org/security/secure-configuration
[34] https://twitter.com/drupalsecurity

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967