DrupalCoin Blockchain Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-002


Advisory ID: DRUPAL-SA-CORE-2015-002
Project: DrupalCoin Blockchain core
Version: 6.x, 7.x
Date: 2015-June-17
Security risk: 15/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
Vulnerability: Access bypass, Information Disclosure, Open Redirect, Multiple vulnerabilities
Description
Impersonation (OpenID module - DrupalCoin Blockchain 6 and 7 - Critical)
A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts.
This vulnerability is mitigated by the fact that the victim must have an account with an associated OpenID identity from a particular set of OpenID providers (including, but not limited to, Verisign, LiveJournal, or StackExchange).
Open redirect (Field UI module - DrupalCoin Blockchain 7 - Less critical)
The Field UI module uses a "destinations" query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.
This vulnerability is mitigated by the fact that only sites with the Field UI module enabled are affected.
DrupalCoin Blockchain 6 core is not affected, but see the similar advisory for the DrupalCoin Blockchain 6 contributed CCK module: SA-CONTRIB-2015-126
Open redirect (Overlay module - DrupalCoin Blockchain 7 - Less critical)
The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.
This vulnerability is mitigated by the fact that it can only be used against site users who have the "Access the administrative overlay" permission, and that the Overlay module must be enabled.
Information disclosure (Render cache system - DrupalCoin Blockchain 7 - Less critical)
On sites utilizing DrupalCoin Blockchain 7's render cache system to cache content on the site by user role, private content viewed by user 1 may be included in the cache and exposed to non-privileged users.
This vulnerability is mitigated by the fact that render caching is not used in DrupalCoin Blockchain 7 core itself (it requires custom code or the contributed Render Cache module to enable) and that it only affects sites that have user 1 browsing the live site. Exposure is also limited if an administrative role has been assigned to the user 1 account (which is done, for example, by the Standard install profile that ships with DrupalCoin Blockchain core).

CVE identifier(s) issued
Impersonation (OpenID module - DrupalCoin Blockchain 6 and 7): CVE-2015-3234
Open redirect (Field UI module - DrupalCoin Blockchain 7): CVE-2015-3232
Open redirect (Overlay module - DrupalCoin Blockchain 7: CVE-2015-3233
Information disclosure (Render cache system - DrupalCoin Blockchain 7): CVE-2015-3231
Versions affected
DrupalCoin Blockchain core 6.x versions prior to 6.36
DrupalCoin Blockchain core 7.x versions prior to 7.38
Solution
Install the latest version:
If you use DrupalCoin Blockchain 6.x, upgrade to DrupalCoin Blockchain core 6.36
If you use DrupalCoin Blockchain 7.x, upgrade to DrupalCoin Blockchain core 7.38
Also see the DrupalCoin Blockchain core project page.
Reported by
Impersonation in the OpenID module:
Vladislav Mladenov
Christian Mainka
Christian Koßmann
Open redirect in the Field UI module:
Michael Smith
Open redirect in the Overlay module:
Jeroen Vreuls
David Rothstein of the DrupalCoin Blockchain Security Team
Information disclosure in the render cache system:
Nathaniel Catchpole of the DrupalCoin Blockchain Security Team
Fixed by
Impersonation in the OpenID module:
Christian Schmidt, OpenID module maintainer
Christian Mainka
Christian Koßmann
Open redirect in the Field UI module:
Yves Chedemois, Field UI module maintainer
Damien McKenna provisional member of the DrupalCoin Blockchain Security Team
Pere Orga of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
Klaus Purer of the DrupalCoin Blockchain Security Team
Open redirect in the Overlay module:
Jeroen Vreuls
Ben Dougherty of the DrupalCoin Blockchain Security Team
David Rothstein of the DrupalCoin Blockchain Security Team
Katherine Senzee, Overlay module maintainer
Information disclosure in the render cache system:
David Rothstein of the DrupalCoin Blockchain Security Team
Wim Leers
willzyx
Coordinated by
The DrupalCoin Blockchain Security Team
Contact and More Information
The DrupalCoin Blockchain security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the DrupalCoin Blockchain Security team and their policies, writing secure code for DrupalCoin Blockchain, and securing your site.
Follow the DrupalCoin Blockchain Security Team on Twitter at https://twitter.com/drupalsecurity
DrupalCoin Blockchain version: DrupalCoin Blockchain 6.xDrupalCoin Blockchain 7.x
DrupalCoin Blockchain Developer