14 DAY TRIAL // New versions have been announced for Drupal 6 and 7, which include only security-related changes, one of them allowing a potential attacker to reset a user’s account without the need of a password.
The vulnerability can be exploited under certain circumstances by forging the password reset URLs. It is considered a moderately critical risk, meaning that a remote third party can trick a registered user, such as an administrator, into launching a malformed link to take control of the server.
Not all websites are affected
Exploiting the glitch on Drupal 7 is possible only in the case of websites where the database contains the same password hash for multiple accounts, a condition that can occur during the account import process or as a result of programmatic editing.
The risk is greater for websites running Drupal 6, where administrators have created several user accounts protected by the same password. Additionally, the security vulnerability can be exploited if account importing or editing processes result in the password hash field in the database to be empty at least for one user account.
“Drupal 6 sites that have empty password hashes, or a password field with a guessable string in the database, are especially prone to this vulnerability. This could apply to sites that use external authentication so that the password field is set to a fixed, invalid value,” the Drupal security advisory informs.
Redirection to third-party websites
This is not the only weakness mitigated by the freshly released Drupal 7.35 and 6.35, as previous versions of the open source content management system (CMS) are susceptible to open redirect vulnerabilities.
URLs created after completing an action on a Drupal page include a “destination” parameter, which can be used by cybercriminals to redirect users to a third-party location with malicious content.
Drupal maintainers say that multiple URL-related API functions in previous versions of the CMS could be used to pass through external URLs when not required. Confirmation dialogs relying on Drupal 7’s form API are vulnerable through the Cancel option, the developers say.
As of March 8, according to statistics provided by the CMS maintainers, there are a little over 162,000 websites running Drupal 6.x and close to 1 million relying on Drupal 7.x
Website administrators are strongly recommended to switch to the latest versions of the platform, which are also available at Softpedia.