What are the identified vulnerabilities? Access bypass, information disclosure, open redirect in Drupal versions 6.x and Drupal 7.x

Solutions to vulnerabilities? Upgrade Drupal 6.x to Drupal core 6.36, Upgrade Drupal 7.x to Drupal core 7.38

Description of Vulnerabilities

Impersonation through OpenID

OpenID is an account created by the open source community that allows you to use an existing account to sign in to multiple websites with one password. The Drupal vulnerability with OpenID uses impersonation to log in as other users on a site including administrators. They then use the administrator access level to hijack accounts. This vulnerability affects Drupal 6 and Drupal 7 versions.

Open Redirect through Field UI and Overlay modules

Drupal 7 sites using the Field UI can be used to trick users to go to a malicious URL that can gather information. The Overlay module does not properly validate URLs prior to displaying content. This can lead to an open redirect vulnerability.

Information Disclosure through the Drupal 7 Render Cache system

Drupal 7 sites utilizing the render cache system may cache content that is typically protected by user role. The content may be exposed to non-privileged users. This vulnerability is specific to private content on sites where User 1 is an account.

For more information please go to the Drupal Security Advisories page.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve this article:
Email Address

new! - Enter your name and email address above and we will post your feedback in the comments on this page!

Did you find this article helpful?

Post a Comment

Email Address:
Phone Number:

Please note: Your name and comment will be displayed, but we will not show your email address.

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Need More Help?

Help Center Search

Current Customers

Email: support@WebHostingHub.com Ticket: Submit a Support Ticket
Call: 877-595-4HUB (4482)
757-416-6627 (Intl.)
Chat: Click To Chat Now

Ask the Community

Get help with your questions from our community of like-minded hosting users and Web Hosting Hub Staff.

Not a Customer?

Get web hosting from a company that is here to help.