Vulnerabilities > CVE-2015-2749 - Open Redirect vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
Open redirect vulnerability in Drupal 6.x before 6.35 and 7.x before 7.35 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Fake the Source of Data An adversary provides data under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or it might be an attempt by the adversary to assume the rights granted to another identity. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.
Nessus
NASL family CGI abuses NASL id DRUPAL_7_35.NASL description The remote web server is running a version of Drupal that is 6.x prior to 6.35 or 7.x prior to 7.35. It is, therefore, potentially affected by the following vulnerabilities : - An access bypass vulnerability exists in which password reset URLs can be forged. This allows a remote attacker to gain access to another user last seen 2020-06-01 modified 2020-06-02 plugin id 81975 published 2015-03-20 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81975 title Drupal 6.x < 6.35 / 7.x < 7.35 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(81975); script_version("1.16"); script_cvs_date("Date: 2019/11/25"); script_cve_id("CVE-2015-2559", "CVE-2015-2749", "CVE-2015-2750"); script_bugtraq_id(73219); script_name(english:"Drupal 6.x < 6.35 / 7.x < 7.35 Multiple Vulnerabilities"); script_summary(english:"Checks the version of Drupal."); script_set_attribute(attribute:"synopsis", value: "The remote web server is running a PHP application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote web server is running a version of Drupal that is 6.x prior to 6.35 or 7.x prior to 7.35. It is, therefore, potentially affected by the following vulnerabilities : - An access bypass vulnerability exists in which password reset URLs can be forged. This allows a remote attacker to gain access to another user's account. (CVE-2015-2559) - An open redirect vulnerability exists which allows a remote attacker to craft a URL using the 'destination' parameter in order to trick users into being redirected to third-party sites. Additionally, several URL related API functions can be tricked into passing external URLs. (CVE-2015-2749, CVE-2015-2750) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/SA-CORE-2015-001"); script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/drupal-7.35-release-notes"); script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/drupal-6.35-release-notes"); script_set_attribute(attribute:"solution", value: "Upgrade to version 6.35 / 7.35 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2750"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/03/18"); script_set_attribute(attribute:"patch_publication_date", value:"2015/03/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/20"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:drupal"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("drupal_detect.nasl"); script_require_keys("www/PHP", "installed_sw/Drupal", "Settings/ParanoidReport"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "Drupal"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_single_install( app_name : app, port : port, exit_if_unknown_ver : TRUE ); dir = install['path']; version = install['version']; url = build_url(qs:dir, port:port); if (report_paranoia < 2) audit(AUDIT_PARANOID); if ( version =~ "^7\.([0-9]|[1-2][0-9]|3[0-4])($|[^0-9]+)" || version =~ "^6\.([0-9]|[1-2][0-9]|3[0-4])($|[^0-9]+)" ) { if (report_verbosity > 0) { report = '\n URL : ' + url + '\n Installed version : ' + version + '\n Fixed version : 7.35 / 6.35' + '\n'; security_warning(port:port, extra:report); } else security_warning(port); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url, version);
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-181.NASL description Updated drupal packages fix security vulnerabilities : An information disclosure vulnerability was discovered in Drupal before 7.27. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to other users interacting with the same form at the same time (CVE-2014-2983). Multiple security issues in Drupal before 7.29, including a denial of service issue, an access bypass issue in the File module, and multiple cross-site scripting issues (CVE-2014-5019, CVE-2014-5020, CVE-2014-5021, CVE-2014-5022). A denial of service issue exists in Drupal before 7.31, due to XML entity expansion in a publicly accessible XML-RPC endpoint. A SQL Injection issue exists in Drupal before 7.32 due to the way the Drupal core handles prepared statements. A malicious user can inject arbitrary SQL queries, and thereby completely control the Drupal site. This vulnerability can be exploited by remote attackers without any kind of authentication required (CVE-2014-3704). Aaron Averill discovered that a specially crafted request can give a user access to another user last seen 2020-06-01 modified 2020-06-02 plugin id 82456 published 2015-03-31 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82456 title Mandriva Linux Security Advisory : drupal (MDVSA-2015:181) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2015:181. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(82456); script_version("1.9"); script_cvs_date("Date: 2019/08/02 13:32:57"); script_cve_id("CVE-2014-2983", "CVE-2014-3704", "CVE-2014-5019", "CVE-2014-5020", "CVE-2014-5021", "CVE-2014-5022", "CVE-2014-9015", "CVE-2014-9016", "CVE-2015-2559", "CVE-2015-2749", "CVE-2015-2750"); script_xref(name:"MDVSA", value:"2015:181"); script_name(english:"Mandriva Linux Security Advisory : drupal (MDVSA-2015:181)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated drupal packages fix security vulnerabilities : An information disclosure vulnerability was discovered in Drupal before 7.27. When pages are cached for anonymous users, form state may leak between anonymous users. Sensitive or private information recorded for one anonymous user could thus be disclosed to other users interacting with the same form at the same time (CVE-2014-2983). Multiple security issues in Drupal before 7.29, including a denial of service issue, an access bypass issue in the File module, and multiple cross-site scripting issues (CVE-2014-5019, CVE-2014-5020, CVE-2014-5021, CVE-2014-5022). A denial of service issue exists in Drupal before 7.31, due to XML entity expansion in a publicly accessible XML-RPC endpoint. A SQL Injection issue exists in Drupal before 7.32 due to the way the Drupal core handles prepared statements. A malicious user can inject arbitrary SQL queries, and thereby completely control the Drupal site. This vulnerability can be exploited by remote attackers without any kind of authentication required (CVE-2014-3704). Aaron Averill discovered that a specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session (CVE-2014-9015). Michael Cullum, Javier Nieto and Andres Rojas Guerrero discovered that the password hashing API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service) (CVE-2014-9016). anonymous users (CVE-2014-9016). Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password (CVE-2015-2559). Under certain circumstances, malicious users can construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks. In addition, several URL-related API functions in Drupal 6 and 7 can be tricked into passing through external URLs when not intending to, potentially leading to additional open redirect vulnerabilities (CVE-2015-2749, CVE-2015-2750). The drupal package has been updated to version 7.35 to fix this issue and other bugs. See the upstream advisory and release notes for more details." ); script_set_attribute( attribute:"see_also", value:"http://advisories.mageia.org/MGASA-2014-0322.html" ); script_set_attribute( attribute:"see_also", value:"http://advisories.mageia.org/MGASA-2014-0329.html" ); script_set_attribute( attribute:"see_also", value:"http://advisories.mageia.org/MGASA-2014-0423.html" ); script_set_attribute( attribute:"see_also", value:"http://advisories.mageia.org/MGASA-2014-0492.html" ); script_set_attribute( attribute:"see_also", value:"http://advisories.mageia.org/MGASA-2015-0121.html" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"d2_elliot_name", value:"Drupal core 7.x SQL Injection"); script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Drupal HTTP Parameter Key/Value SQL Injection'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:drupal"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:drupal-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:drupal-postgresql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:drupal-sqlite"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1"); script_set_attribute(attribute:"patch_publication_date", value:"2015/03/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK-MBS1", reference:"drupal-7.35-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", reference:"drupal-mysql-7.35-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", reference:"drupal-postgresql-7.35-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", reference:"drupal-sqlite-7.35-1.mbs1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3200.NASL description Multiple vulnerabilities have been found in the Drupal content management framework. More information can be found at last seen 2020-03-17 modified 2015-03-23 plugin id 81984 published 2015-03-23 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81984 title Debian DSA-3200-1 : drupal7 - security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-3200. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(81984); script_version("1.16"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2015-2559", "CVE-2015-2749", "CVE-2015-2750"); script_bugtraq_id(73219); script_xref(name:"DSA", value:"3200"); script_name(english:"Debian DSA-3200-1 : drupal7 - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities have been found in the Drupal content management framework. More information can be found at" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780772" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/drupal7" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2015/dsa-3200" ); script_set_attribute( attribute:"solution", value: "Upgrade the drupal7 packages. For the stable distribution (wheezy), this problem has been fixed in version 7.14-2+deb7u9." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:drupal7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2015/03/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"drupal7", reference:"7.14-2+deb7u9")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- https://www.drupal.org/SA-CORE-2015-001
- https://bugzilla.redhat.com/show_bug.cgi?id=1204753
- http://www.securityfocus.com/bid/73219
- http://www.openwall.com/lists/oss-security/2015/03/26/4
- http://www.debian.org/security/2015/dsa-3200
- http://cgit.drupalcode.org/drupal/commit/?id=d2304f840c43c190c6e136ee9901ed9797b4c3ca