Vulnerabilities > CVE-2015-2559 - Improper Access Control vulnerability in multiple products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
SINGLE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Embedding Scripts within Scripts An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
- Signature Spoofing by Key Theft An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family CGI abuses NASL id DRUPAL_7_35.NASL description The remote web server is running a version of Drupal that is 6.x prior to 6.35 or 7.x prior to 7.35. It is, therefore, potentially affected by the following vulnerabilities : - An access bypass vulnerability exists in which password reset URLs can be forged. This allows a remote attacker to gain access to another user last seen 2020-06-01 modified 2020-06-02 plugin id 81975 published 2015-03-20 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81975 title Drupal 6.x < 6.35 / 7.x < 7.35 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(81975); script_version("1.16"); script_cvs_date("Date: 2019/11/25"); script_cve_id("CVE-2015-2559", "CVE-2015-2749", "CVE-2015-2750"); script_bugtraq_id(73219); script_name(english:"Drupal 6.x < 6.35 / 7.x < 7.35 Multiple Vulnerabilities"); script_summary(english:"Checks the version of Drupal."); script_set_attribute(attribute:"synopsis", value: "The remote web server is running a PHP application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote web server is running a version of Drupal that is 6.x prior to 6.35 or 7.x prior to 7.35. It is, therefore, potentially affected by the following vulnerabilities : - An access bypass vulnerability exists in which password reset URLs can be forged. This allows a remote attacker to gain access to another user's account. (CVE-2015-2559) - An open redirect vulnerability exists which allows a remote attacker to craft a URL using the 'destination' parameter in order to trick users into being redirected to third-party sites. Additionally, several URL related API functions can be tricked into passing external URLs. (CVE-2015-2749, CVE-2015-2750) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/SA-CORE-2015-001"); script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/drupal-7.35-release-notes"); script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/drupal-6.35-release-notes"); script_set_attribute(attribute:"solution", value: "Upgrade to version 6.35 / 7.35 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2750"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/03/18"); script_set_attribute(attribute:"patch_publication_date", value:"2015/03/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/20"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:drupal"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("drupal_detect.nasl"); script_require_keys("www/PHP", "installed_sw/Drupal", "Settings/ParanoidReport"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "Drupal"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_single_install( app_name : app, port : port, exit_if_unknown_ver : TRUE ); dir = install['path']; version = install['version']; url = build_url(qs:dir, port:port); if (report_paranoia < 2) audit(AUDIT_PARANOID); if ( version =~ "^7\.([0-9]|[1-2][0-9]|3[0-4])($|[^0-9]+)" || version =~ "^6\.([0-9]|[1-2][0-9]|3[0-4])($|[^0-9]+)" ) { if (report_verbosity > 0) { report = '\n URL : ' + url + '\n Installed version : ' + version + '\n Fixed version : 7.35 / 6.35' + '\n'; security_warning(port:port, extra:report); } else security_warning(port); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url, version);NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-181.NASL description Updated drupal packages fix security vulnerabilities : An information disclosure vulnerability was discovered in Drupal before 7.27. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to other users interacting with the same form at the same time (CVE-2014-2983). Multiple security issues in Drupal before 7.29, including a denial of service issue, an access bypass issue in the File module, and multiple cross-site scripting issues (CVE-2014-5019, CVE-2014-5020, CVE-2014-5021, CVE-2014-5022). A denial of service issue exists in Drupal before 7.31, due to XML entity expansion in a publicly accessible XML-RPC endpoint. A SQL Injection issue exists in Drupal before 7.32 due to the way the Drupal core handles prepared statements. A malicious user can inject arbitrary SQL queries, and thereby completely control the Drupal site. This vulnerability can be exploited by remote attackers without any kind of authentication required (CVE-2014-3704). Aaron Averill discovered that a specially crafted request can give a user access to another user last seen 2020-06-01 modified 2020-06-02 plugin id 82456 published 2015-03-31 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82456 title Mandriva Linux Security Advisory : drupal (MDVSA-2015:181) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2015:181. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(82456); script_version("1.9"); script_cvs_date("Date: 2019/08/02 13:32:57"); script_cve_id("CVE-2014-2983", "CVE-2014-3704", "CVE-2014-5019", "CVE-2014-5020", "CVE-2014-5021", "CVE-2014-5022", "CVE-2014-9015", "CVE-2014-9016", "CVE-2015-2559", "CVE-2015-2749", "CVE-2015-2750"); script_xref(name:"MDVSA", value:"2015:181"); script_name(english:"Mandriva Linux Security Advisory : drupal (MDVSA-2015:181)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated drupal packages fix security vulnerabilities : An information disclosure vulnerability was discovered in Drupal before 7.27. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to other users interacting with the same form at the same time (CVE-2014-2983). Multiple security issues in Drupal before 7.29, including a denial of service issue, an access bypass issue in the File module, and multiple cross-site scripting issues (CVE-2014-5019, CVE-2014-5020, CVE-2014-5021, CVE-2014-5022). A denial of service issue exists in Drupal before 7.31, due to XML entity expansion in a publicly accessible XML-RPC endpoint. A SQL Injection issue exists in Drupal before 7.32 due to the way the Drupal core handles prepared statements. A malicious user can inject arbitrary SQL queries, and thereby completely control the Drupal site. This vulnerability can be exploited by remote attackers without any kind of authentication required (CVE-2014-3704). Aaron Averill discovered that a specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session (CVE-2014-9015). Michael Cullum, Javier Nieto and Andres Rojas Guerrero discovered that the password hashing API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service) (CVE-2014-9016). anonymous users (CVE-2014-9016). Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password (CVE-2015-2559). Under certain circumstances, malicious users can construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks. In addition, several URL-related API functions in Drupal 6 and 7 can be tricked into passing through external URLs when not intending to, potentially leading to additional open redirect vulnerabilities (CVE-2015-2749, CVE-2015-2750). The drupal package has been updated to version 7.35 to fix this issue and other bugs. See the upstream advisory and release notes for more details." ); script_set_attribute( attribute:"see_also", value:"http://advisories.mageia.org/MGASA-2014-0322.html" ); script_set_attribute( attribute:"see_also", value:"http://advisories.mageia.org/MGASA-2014-0329.html" ); script_set_attribute( attribute:"see_also", value:"http://advisories.mageia.org/MGASA-2014-0423.html" ); script_set_attribute( attribute:"see_also", value:"http://advisories.mageia.org/MGASA-2014-0492.html" ); script_set_attribute( attribute:"see_also", value:"http://advisories.mageia.org/MGASA-2015-0121.html" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"d2_elliot_name", value:"Drupal core 7.x SQL Injection"); script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Drupal HTTP Parameter Key/Value SQL Injection'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:drupal"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:drupal-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:drupal-postgresql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:drupal-sqlite"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1"); script_set_attribute(attribute:"patch_publication_date", value:"2015/03/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK-MBS1", reference:"drupal-7.35-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", reference:"drupal-mysql-7.35-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", reference:"drupal-postgresql-7.35-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", reference:"drupal-sqlite-7.35-1.mbs1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3200.NASL description Multiple vulnerabilities have been found in the Drupal content management framework. More information can be found at last seen 2020-03-17 modified 2015-03-23 plugin id 81984 published 2015-03-23 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81984 title Debian DSA-3200-1 : drupal7 - security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-3200. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(81984); script_version("1.16"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2015-2559", "CVE-2015-2749", "CVE-2015-2750"); script_bugtraq_id(73219); script_xref(name:"DSA", value:"3200"); script_name(english:"Debian DSA-3200-1 : drupal7 - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities have been found in the Drupal content management framework. More information can be found at" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780772" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/drupal7" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2015/dsa-3200" ); script_set_attribute( attribute:"solution", value: "Upgrade the drupal7 packages. For the stable distribution (wheezy), this problem has been fixed in version 7.14-2+deb7u9." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:drupal7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2015/03/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"drupal7", reference:"7.14-2+deb7u9")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");