Vulnerabilities > CVE-2014-2983 - Information Exposure vulnerability in multiple products

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
drupal
debian
CWE-200
nessus
NVD
Published: 2014-04-23
Updated: 2021-04-20

Summary

Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors.

Vulnerable Configurations

Part Description Count
Application
Drupal
82
OS
Debian
3

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2015-181.NASL
    descriptionUpdated drupal packages fix security vulnerabilities : An information disclosure vulnerability was discovered in Drupal before 7.27. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to other users interacting with the same form at the same time (CVE-2014-2983). Multiple security issues in Drupal before 7.29, including a denial of service issue, an access bypass issue in the File module, and multiple cross-site scripting issues (CVE-2014-5019, CVE-2014-5020, CVE-2014-5021, CVE-2014-5022). A denial of service issue exists in Drupal before 7.31, due to XML entity expansion in a publicly accessible XML-RPC endpoint. A SQL Injection issue exists in Drupal before 7.32 due to the way the Drupal core handles prepared statements. A malicious user can inject arbitrary SQL queries, and thereby completely control the Drupal site. This vulnerability can be exploited by remote attackers without any kind of authentication required (CVE-2014-3704). Aaron Averill discovered that a specially crafted request can give a user access to another user
    last seen2020-06-01
    modified2020-06-02
    plugin id82456
    published2015-03-31
    reporterThis script is Copyright (C) 2015-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82456
    titleMandriva Linux Security Advisory : drupal (MDVSA-2015:181)
    code
    #%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Mandriva Linux Security Advisory MDVSA-2015:181. 
# The text itself is copyright (C) Mandriva S.A.
#

include("compat.inc");

if (description)
{
  script_id(82456);
  script_version("1.9");
  script_cvs_date("Date: 2019/08/02 13:32:57");

  script_cve_id("CVE-2014-2983", "CVE-2014-3704", "CVE-2014-5019", "CVE-2014-5020", "CVE-2014-5021", "CVE-2014-5022", "CVE-2014-9015", "CVE-2014-9016", "CVE-2015-2559", "CVE-2015-2749", "CVE-2015-2750");
  script_xref(name:"MDVSA", value:"2015:181");

  script_name(english:"Mandriva Linux Security Advisory : drupal (MDVSA-2015:181)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Mandriva Linux host is missing one or more security
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Updated drupal packages fix security vulnerabilities :

An information disclosure vulnerability was discovered in Drupal
before 7.27. When pages are cached for anonymous users, form state may
leak between anonymous users. Sensitive or private information
recorded for one anonymous user could thus be disclosed to other users
interacting with the same form at the same time (CVE-2014-2983).

Multiple security issues in Drupal before 7.29, including a denial of
service issue, an access bypass issue in the File module, and multiple
cross-site scripting issues (CVE-2014-5019, CVE-2014-5020,
CVE-2014-5021, CVE-2014-5022).

A denial of service issue exists in Drupal before 7.31, due to XML
entity expansion in a publicly accessible XML-RPC endpoint.

A SQL Injection issue exists in Drupal before 7.32 due to the way the
Drupal core handles prepared statements. A malicious user can inject
arbitrary SQL queries, and thereby completely control the Drupal site.
This vulnerability can be exploited by remote attackers without any
kind of authentication required (CVE-2014-3704).

Aaron Averill discovered that a specially crafted request can give a
user access to another user's session, allowing an attacker to hijack
a random session (CVE-2014-9015).

Michael Cullum, Javier Nieto and Andres Rojas Guerrero discovered that
the password hashing API allows an attacker to send specially crafted
requests resulting in CPU and memory exhaustion. This may lead to the
site becoming unavailable or unresponsive (denial of service)
(CVE-2014-9016). anonymous users (CVE-2014-9016).

Password reset URLs can be forged under certain circumstances,
allowing an attacker to gain access to another user's account without
knowing the account's password (CVE-2015-2559).

Under certain circumstances, malicious users can construct a URL that
will trick users into being redirected to a 3rd party website, thereby
exposing the users to potential social engineering attacks. In
addition, several URL-related API functions in Drupal 6 and 7 can be
tricked into passing through external URLs when not intending to,
potentially leading to additional open redirect vulnerabilities
(CVE-2015-2749, CVE-2015-2750).

The drupal package has been updated to version 7.35 to fix this issue
and other bugs. See the upstream advisory and release notes for more
details."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://advisories.mageia.org/MGASA-2014-0322.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://advisories.mageia.org/MGASA-2014-0329.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://advisories.mageia.org/MGASA-2014-0423.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://advisories.mageia.org/MGASA-2014-0492.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://advisories.mageia.org/MGASA-2015-0121.html"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"d2_elliot_name", value:"Drupal core 7.x SQL Injection");
  script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Drupal HTTP Parameter Key/Value SQL Injection');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:drupal");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:drupal-mysql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:drupal-postgresql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:drupal-sqlite");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1");

  script_set_attribute(attribute:"patch_publication_date", value:"2015/03/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/31");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2019 Tenable Network Security, Inc.");
  script_family(english:"Mandriva Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);


flag = 0;
if (rpm_check(release:"MDK-MBS1", reference:"drupal-7.35-1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", reference:"drupal-mysql-7.35-1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", reference:"drupal-postgresql-7.35-1.mbs1")) flag++;
if (rpm_check(release:"MDK-MBS1", reference:"drupal-sqlite-7.35-1.mbs1")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2913.NASL
    descriptionAn information disclosure vulnerability was discovered in Drupal, a fully-featured content management framework. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to other users interacting with the same form at the same time. This security update introduces small API changes, see the upstream advisory at drupal.org/SA-CORE-2014-002 for further information.
    last seen2020-03-17
    modified2014-04-27
    plugin id73714
    published2014-04-27
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73714
    titleDebian DSA-2913-1 : drupal7 - security update
  • NASL familyCGI abuses
    NASL idDRUPAL_7_27.NASL
    descriptionThe remote web server is running a version of Drupal that is 7.x prior to 7.27. It is, therefore, affected by an error related to the HTML form API and the caching of pages for different anonymous users, which could allow sensitive information to be disclosed. Note that Drupal core does not expose any such HTML forms by default. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id73635
    published2014-04-21
    reporterThis script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73635
    titleDrupal 7.x < 7.27 Forms API Information Disclosure
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2914.NASL
    descriptionAn information disclosure vulnerability was discovered in Drupal, a fully-featured content management framework. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to other users interacting with the same form at the same time. This security update introduces small API changes, see the upstream advisory at drupal.org/SA-CORE-2014-002 for further information.
    last seen2020-03-17
    modified2014-04-27
    plugin id73715
    published2014-04-27
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73715
    titleDebian DSA-2914-1 : drupal6 - security update
  • NASL familyCGI abuses
    NASL idDRUPAL_6_31.NASL
    descriptionThe remote web server is running a version of Drupal that is 6.x prior to 6.31. It is, therefore, affected by an error related to the HTML form API and the caching of pages for different anonymous users, which could allow sensitive information to be disclosed. Note that Drupal core does not expose any such HTML forms by default. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id73634
    published2014-04-21
    reporterThis script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/73634
    titleDrupal 6.x < 6.31 Forms API Information Disclosure

References