Vulnerabilities > CVE-2016-9450 - Insufficient Verification of Data Authenticity vulnerability in Drupal

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
drupal
CWE-345
nessus
NVD
Published: 2016-11-25
Updated: 2016-11-29

Summary

The user password reset form in Drupal 8.x before 8.2.3 allows remote attackers to conduct cache poisoning attacks by leveraging failure to specify a correct cache context.

Vulnerable Configurations

Part Description Count
Application
Drupal
61

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • JSON Hijacking (aka JavaScript Hijacking)
    An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website. An attacker gets the victim to visit his or her malicious page that contains a script tag whose source points to the vulnerable system with a URL that requests a response from the server containing a JSON object with possibly confidential information. The malicious page also contains malicious code to capture the JSON object returned by the server before any other processing on it can take place, typically by overriding the JavaScript function used to create new objects. This hook allows the malicious code to get access to the creation of each object and transmit the possibly sensitive contents of the captured JSON object to the attackers' server. There is nothing in the browser's security model to prevent the attackers' malicious JavaScript code (originating from attacker's domain) to set up an environment (as described above) to intercept a JSON object response (coming from the vulnerable target system's domain), read its contents and transmit to the attackers' controlled site. The same origin policy protects the domain object model (DOM), but not the JSON.
  • Cache Poisoning
    An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.
  • DNS Cache Poisoning
    A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An attacker modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the attacker specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Attackers can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.
  • Cross-Site Scripting Using MIME Type Mismatch
    An attacker creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. Some browsers will detect that the specified MIME type of the file does not match the actual type of the content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the attackers' script may run on the target unsanitized. For example, the MIME type text/plain may be used where the actual content is text/javascript or text/html. Since text does not contain scripting instructions, the stated MIME type would indicate that filtering is unnecessary. However, if the target application subsequently determines the file's real type and invokes the appropriate interpreter, scripted content could be invoked. In another example, img tags in HTML content could reference a renderable type file instead of an expected image file. The file extension and MIME type can describe an image file, but the file content can be text/javascript or text/html resulting in script execution. If the browser assumes all references in img tags are images, and therefore do not need to be filtered for scripts, this would bypass content filters. In a cross-site scripting attack, the attacker tricks the victim into accessing a URL that uploads a script file with an incorrectly specified MIME type. If the victim's browser switches to the appropriate interpreter without filtering, the attack will execute as a standard XSS attack, possibly revealing the victim's cookies or executing arbitrary script in their browser.
  • Spoofing of UDDI/ebXML Messages
    An attacker spoofs a UDDI, ebXML, or similar message in order to impersonate a service provider in an e-business transaction. UDDI, ebXML, and similar standards are used to identify businesses in e-business transactions. Among other things, they identify a particular participant, WSDL information for SOAP transactions, and supported communication protocols, including security protocols. By spoofing one of these messages an attacker could impersonate a legitimate business in a transaction or could manipulate the protocols used between a client and business. This could result in disclosure of sensitive information, loss of message integrity, or even financial fraud.

Nessus

  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_8DB24888B2F511E6815300248C0C745D.NASL
    descriptionThe Drupal development team reports : Inconsistent name for term access query (Less critical - Drupal 7 and Drupal 8) Drupal provides a mechanism to alter database SELECT queries before they are executed. Contributed and custom modules may use this mechanism to restrict access to certain entities by implementing hook_query_alter() or hook_query_TAG_alter() in order to add additional conditions. Queries can be distinguished by means of query tags. As the documentation on EntityFieldQuery::addTag() suggests, access-tags on entity queries normally follow the form ENTITY_TYPE_access (e.g. node_access). However, the taxonomy module
    last seen2020-06-01
    modified2020-06-02
    plugin id95365
    published2016-11-28
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95365
    titleFreeBSD : Drupal Code -- Multiple Vulnerabilities (8db24888-b2f5-11e6-8153-00248c0c745d)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2018 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
#    copyright notice, this list of conditions and the following
#    disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
#    published online in any format, converted to PDF, PostScript,
#    RTF and other formats) must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer
#    in the documentation and/or other materials provided with the
#    distribution.
# 
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

include("compat.inc");

if (description)
{
  script_id(95365);
  script_version("3.8");
  script_cvs_date("Date: 2018/11/10 11:49:45");

  script_cve_id("CVE-2016-9449", "CVE-2016-9450", "CVE-2016-9451", "CVE-2016-9452");

  script_name(english:"FreeBSD : Drupal Code -- Multiple Vulnerabilities (8db24888-b2f5-11e6-8153-00248c0c745d)");
  script_summary(english:"Checks for updated packages in pkg_info output");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote FreeBSD host is missing one or more security-related
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The Drupal development team reports : Inconsistent name for term
access query (Less critical - Drupal 7 and Drupal 8) Drupal provides a
mechanism to alter database SELECT queries before they are executed.
Contributed and custom modules may use this mechanism to restrict
access to certain entities by implementing hook_query_alter() or
hook_query_TAG_alter() in order to add additional conditions. Queries
can be distinguished by means of query tags. As the documentation on
EntityFieldQuery::addTag() suggests, access-tags on entity queries
normally follow the form ENTITY_TYPE_access (e.g. node_access).
However, the taxonomy module's access query tag predated this system
and used term_access as the query tag instead of taxonomy_term_access.

As a result, before this security release modules wishing to restrict
access to taxonomy terms may have implemented an unsupported tag, or
needed to look for both tags (term_access and taxonomy_term_access) in
order to be compatible with queries generated both by Drupal core as
well as those generated by contributed modules like Entity Reference.
Otherwise information on taxonomy terms might have been disclosed to
unprivileged users.

Incorrect cache context on password reset page (Less critical - Drupal
8) The user password reset form does not specify a proper cache
context, which can lead to cache poisoning and unwanted content on the
page. Confirmation forms allow external URLs to be injected
(Moderately critical - Drupal 7) Under certain circumstances,
malicious users could construct a URL to a confirmation form that
would trick users into being redirected to a 3rd party website after
interacting with the form, thereby exposing the users to potential
social engineering attacks. Denial of service via transliterate
mechanism (Moderately critical - Drupal 8) A specially crafted URL can
cause a denial of service via the transliterate mechanism."
  );
  # https://vuxml.freebsd.org/freebsd/8db24888-b2f5-11e6-8153-00248c0c745d.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?92d3fe4a"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:drupal7");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:drupal8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/11/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/28");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"FreeBSD Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");

  exit(0);
}


include("audit.inc");
include("freebsd_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (pkg_test(save_report:TRUE, pkg:"drupal7>=7.0<7.52")) flag++;
if (pkg_test(save_report:TRUE, pkg:"drupal8>=8.0.0<8.2.3")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
  • NASL familyCGI abuses
    NASL idDRUPAL_8_2_3.NASL
    descriptionThe version of Drupal running on the remote web server is 7.x prior to 7.52 or 8.x prior to 8.2.3. It is, therefore, affected by the multiple vulnerabilities : - An information disclosure vulnerability exists in the taxonomy module when using access query tags that are inconsistent with the standard system used by Drupal Core. An unauthenticated, remote attacker can exploit this to disclose sensitive information regarding taxonomy terms. (CVE-2016-9449) - A flaw exists in the password reset form due to a failure to properly specify a cache context. An unauthenticated, remote attacker can exploit this to poison the cache, by adding, for example, unwanted content to the page. Note that this issue only affects version 8.x. (CVE-2016-9450) - A cross-site redirection vulnerability exists in the confirmation form due to improper validation of input before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted link, to redirect the user to a website of the attacker
    last seen2020-06-01
    modified2020-06-02
    plugin id95026
    published2016-11-21
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95026
    titleDrupal 7.x < 7.52 / 8.x < 8.2.3 Multiple Vulnerabilities
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(95026);
  script_version("1.10");
  script_cvs_date("Date: 2019/11/14");

  script_cve_id(
    "CVE-2016-9449",
    "CVE-2016-9450",
    "CVE-2016-9451",
    "CVE-2016-9452"
  );
  script_bugtraq_id(94367);

  script_name(english:"Drupal 7.x < 7.52 / 8.x < 8.2.3 Multiple Vulnerabilities");
  script_summary(english:"Checks the version of Drupal.");

  script_set_attribute(attribute:"synopsis", value:
"A PHP application running on the remote web server is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Drupal running on the remote web server is 7.x prior to
7.52 or 8.x prior to 8.2.3. It is, therefore, affected by the multiple
vulnerabilities :

  - An information disclosure vulnerability exists in the
    taxonomy module when using access query tags that are
    inconsistent with the standard system used by Drupal
    Core. An unauthenticated, remote attacker can exploit
    this to disclose sensitive information regarding
    taxonomy terms. (CVE-2016-9449)

  - A flaw exists in the password reset form due to a
    failure to properly specify a cache context. An
    unauthenticated, remote attacker can exploit this to
    poison the cache, by adding, for example, unwanted
    content to the page. Note that this issue only
    affects version 8.x. (CVE-2016-9450)

  - A cross-site redirection vulnerability exists in the
    confirmation form due to improper validation of input
    before returning it to users. An unauthenticated, remote
    attacker can exploit this, via a specially crafted link,
    to redirect the user to a website of the attacker's
    choosing. Note that this issue only affects version
    7.x. (CVE-2016-9451)

  - A denial of service vulnerability exists in the
    transliterate mechanism when handling specially crafted
    URLs. An unauthenticated, remote attacker can exploit
    this to cause a crash. Note that this issue only affects
    version 8.x. (CVE-2016-9452)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/SA-CORE-2016-005");
  script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/project/drupal/releases/7.52");
  script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/project/drupal/releases/8.2.3");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Drupal version 7.52 / 8.2.3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-9450");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/11/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/21");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:drupal");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("drupal_detect.nasl");
  script_require_keys("www/PHP", "installed_sw/Drupal", "Settings/ParanoidReport");
  script_require_ports("Services/www", 80, 443);

  exit(0);
}

include("vcf.inc");
include("http.inc");

app = "Drupal";
get_install_count(app_name:app, exit_if_zero:TRUE);

if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = get_http_port(default:80, php:TRUE);

app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);

vcf::check_granularity(app_info:app_info, sig_segments:2);

constraints = [
  {"min_version" : "7.0", "fixed_version" : "7.52"},
  {"min_version" : "8.0", "fixed_version" : "8.2.3"}
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);

References