Vulnerabilities > CVE-2014-1475 - Multiple Security vulnerability in Drupal Core
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors.
Vulnerable Configurations
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2847.NASL description Multiple vulnerabilities have been discovered in Drupal, a fully-featured content management framework. The Common Vulnerabilities and Exposures project identifies the following issues : - CVE-2014-1475 Christian Mainka and Vladislav Mladenov reported a vulnerability in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts. - CVE-2014-1476 Matt Vance and Damien Tournoud reported an access bypass vulnerability in the taxonomy module. Under certain circumstances, unpublished content can appear on listing pages provided by the taxonomy module and will be visible to users who should not have permission to see it. These fixes require extra updates to the database which can be done from the administration pages. Furthermore this update introduces a new security hardening element for the form API. Please refer to the upstream advisory at drupal.org/SA-CORE-2014-001 for further information. last seen 2020-03-17 modified 2014-01-21 plugin id 72046 published 2014-01-21 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72046 title Debian DSA-2847-1 : drupal7 - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-2847. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(72046); script_version("1.12"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2014-1475", "CVE-2014-1476"); script_bugtraq_id(64973); script_xref(name:"DSA", value:"2847"); script_name(english:"Debian DSA-2847-1 : drupal7 - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities have been discovered in Drupal, a fully-featured content management framework. The Common Vulnerabilities and Exposures project identifies the following issues : - CVE-2014-1475 Christian Mainka and Vladislav Mladenov reported a vulnerability in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts. - CVE-2014-1476 Matt Vance and Damien Tournoud reported an access bypass vulnerability in the taxonomy module. Under certain circumstances, unpublished content can appear on listing pages provided by the taxonomy module and will be visible to users who should not have permission to see it. These fixes require extra updates to the database which can be done from the administration pages. Furthermore this update introduces a new security hardening element for the form API. Please refer to the upstream advisory at drupal.org/SA-CORE-2014-001 for further information." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2014-1475" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2014-1476" ); # https://drupal.org/SA-CORE-2014-001 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?45df5ae9" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/drupal7" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2014/dsa-2847" ); script_set_attribute( attribute:"solution", value: "Upgrade the drupal7 packages. For the stable distribution (wheezy), these problems have been fixed in version 7.14-2+deb7u2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:drupal7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2014/01/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/01/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"drupal7", reference:"7.14-2+deb7u2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2851.NASL description Christian Mainka and Vladislav Mladenov reported a vulnerability in the OpenID module of Drupal, a fully-featured content management framework. A malicious user could exploit this flaw to log in as other users on the site, including administrators, and hijack their accounts. These fixes require extra updates to the database which can be done from the administration pages. last seen 2020-03-17 modified 2014-02-03 plugin id 72248 published 2014-02-03 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72248 title Debian DSA-2851-1 : drupal6 - impersonation code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-2851. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(72248); script_version("1.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2014-1475"); script_bugtraq_id(64973); script_xref(name:"DSA", value:"2851"); script_name(english:"Debian DSA-2851-1 : drupal6 - impersonation"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Christian Mainka and Vladislav Mladenov reported a vulnerability in the OpenID module of Drupal, a fully-featured content management framework. A malicious user could exploit this flaw to log in as other users on the site, including administrators, and hijack their accounts. These fixes require extra updates to the database which can be done from the administration pages." ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/squeeze/drupal6" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2014/dsa-2851" ); script_set_attribute( attribute:"solution", value: "Upgrade the drupal6 packages. For the oldstable distribution (squeeze), this problem has been fixed in version 6.30-1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:drupal6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0"); script_set_attribute(attribute:"patch_publication_date", value:"2014/02/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/02/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"6.0", prefix:"drupal6", reference:"6.30-1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2014-031.NASL description Multiple security issues was identified and fixed in drupal : The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors (CVE-2014-1475). The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access to unpublished content, which allows remote authenticated users to obtain sensitive information via a listing page (CVE-2014-1476). The updated packages has been upgraded to the 7.26 version which is unaffected by these security flaws. last seen 2020-06-01 modified 2020-06-02 plugin id 72529 published 2014-02-16 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72529 title Mandriva Linux Security Advisory : drupal (MDVSA-2014:031) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2014:031. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(72529); script_version("1.6"); script_cvs_date("Date: 2019/08/02 13:32:55"); script_cve_id("CVE-2014-1475", "CVE-2014-1476"); script_bugtraq_id(64973); script_xref(name:"MDVSA", value:"2014:031"); script_name(english:"Mandriva Linux Security Advisory : drupal (MDVSA-2014:031)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Multiple security issues was identified and fixed in drupal : The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors (CVE-2014-1475). The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access to unpublished content, which allows remote authenticated users to obtain sensitive information via a listing page (CVE-2014-1476). The updated packages has been upgraded to the 7.26 version which is unaffected by these security flaws." ); script_set_attribute( attribute:"see_also", value:"https://drupal.org/SA-CORE-2014-001" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:drupal"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:drupal-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:drupal-postgresql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:drupal-sqlite"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1"); script_set_attribute(attribute:"patch_publication_date", value:"2014/02/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/02/16"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK-MBS1", reference:"drupal-7.26-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", reference:"drupal-mysql-7.26-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", reference:"drupal-postgresql-7.26-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", reference:"drupal-sqlite-7.26-1.mbs1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family CGI abuses NASL id DRUPAL_6_30.NASL description The remote web server is running a version of Drupal that is 6.x prior to 6.30. It is, therefore, affected by a security bypass vulnerability in the OpenID module that could allow an authenticated attacker to hijack other users last seen 2020-06-01 modified 2020-06-02 plugin id 72102 published 2014-01-23 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72102 title Drupal 6.x < 6.30 OpenID Module Account Hijacking code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(72102); script_version("1.12"); script_cvs_date("Date: 2019/11/26"); script_cve_id("CVE-2014-1475"); script_bugtraq_id(64973); script_name(english:"Drupal 6.x < 6.30 OpenID Module Account Hijacking"); script_summary(english:"Checks the version of Drupal."); script_set_attribute(attribute:"synopsis", value: "The remote web server is running a PHP application that is affected by a security bypass vulnerability."); script_set_attribute(attribute:"description", value: "The remote web server is running a version of Drupal that is 6.x prior to 6.30. It is, therefore, affected by a security bypass vulnerability in the OpenID module that could allow an authenticated attacker to hijack other users' accounts. Only user accounts associated with one or more OpenID entities are affected. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); # https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2014-01-15/sa-core-2014-001-drupal-core script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?45df5ae9"); script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/project/drupal/releases/6.30"); script_set_attribute(attribute:"solution", value: "Upgrade to version 6.30 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-1475"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/15"); script_set_attribute(attribute:"patch_publication_date", value:"2014/01/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/01/23"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:drupal"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("drupal_detect.nasl"); script_require_keys("www/PHP", "installed_sw/Drupal", "Settings/ParanoidReport"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "Drupal"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_single_install( app_name : app, port : port, exit_if_unknown_ver : TRUE ); dir = install['path']; version = install['version']; url = build_url(qs:dir, port:port); if (report_paranoia < 2) audit(AUDIT_PARANOID); fix = '6.30'; if (version =~ "^6\.([0-9]|[12][0-9])($|[^0-9]+)") { if (report_verbosity > 0) { report = '\n URL : ' + url + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url, version);
NASL family CGI abuses NASL id DRUPAL_7_26.NASL description The remote web server is running a version of Drupal that is 7.x prior to 7.26. It is, therefore, potentially affected by the following security bypass vulnerabilities : - An issue exists in the OpenID module that allows an authenticated attacker to hijack other users last seen 2020-06-01 modified 2020-06-02 plugin id 72103 published 2014-01-23 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72103 title Drupal 7.x < 7.26 Multiple Vulnerabilities
References
- http://secunia.com/advisories/56260
- http://secunia.com/advisories/56601
- http://www.debian.org/security/2014/dsa-2847
- http://www.debian.org/security/2014/dsa-2851
- http://www.mandriva.com/security/advisories?name=MDVSA-2014:031
- http://www.securityfocus.com/bid/64973
- https://drupal.org/SA-CORE-2014-001