The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors.

The remote MiracleLinux 3 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2014-234:01 advisory.

    Drupal is a free software package that allows an individual or a community of users to easily publish,     manage and organize a wide variety of content on a website. Tens of thousands of people and organizations     have used Drupal to power scores of different web sites, including:
     Community web portals      Discussion sites      Corporate web sites      Intranet applications      Personal web sites or blogs      Aficionado sites      E-commerce applications      Resource directories      Social Networking sites     Security issues fixed with this release:
     CVE-2014-1475     The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate     as other users via unspecified vectors.
     CVE-2013-6385     The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party     modules, performs form validation even when CSRF validation has failed, which might allow remote attackers     to trigger application-specific impacts such as arbitrary code execution via application-specific vectors.
     CVE-2013-6386     Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which     uses predictable seeds and allows remote attackers to predict security strings and bypass intended     restrictions via a brute force attack.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Multiple security issues was identified and fixed in drupal :

The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors (CVE-2014-1475).

The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access to unpublished content, which allows remote authenticated users to obtain sensitive information via a listing page (CVE-2014-1476).

The updated packages has been upgraded to the 7.26 version which is unaffected by these security flaws.

Christian Mainka and Vladislav Mladenov reported a vulnerability in the OpenID module of Drupal, a fully-featured content management framework. A malicious user could exploit this flaw to log in as other users on the site, including administrators, and hijack their accounts.

These fixes require extra updates to the database which can be done from the administration pages.

The remote web server is running a version of Drupal that is 7.x prior to 7.26. It is, therefore, potentially affected by the following security bypass vulnerabilities :

  - An issue exists in the OpenID module that allows an     authenticated attacker to hijack other users' accounts.
    Only user accounts associated with one or more OpenID     entities are affected. (CVE-2014-1475)

  - An issue exists in the Taxonomy module that could allow     potentially sensitive, unpublished content to be     publicly viewable. Only Drupal 7 sites that upgraded     from Drupal 6 or earlier are affected. (CVE-2014-1476)

  - A potential issue exists in the drupal_form_submit()     function within the form API in which access checks are     bypassed.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote web server is running a version of Drupal that is 6.x prior to 6.30. It is, therefore, affected by a security bypass vulnerability in the OpenID module that could allow an authenticated attacker to hijack other users' accounts. Only user accounts associated with one or more OpenID entities are affected.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Multiple vulnerabilities have been discovered in Drupal, a fully-featured content management framework. The Common Vulnerabilities and Exposures project identifies the following issues :

  - CVE-2014-1475     Christian Mainka and Vladislav Mladenov reported a     vulnerability in the OpenID module that allows a     malicious user to log in as other users on the site,     including administrators, and hijack their accounts.

  - CVE-2014-1476     Matt Vance and Damien Tournoud reported an access bypass     vulnerability in the taxonomy module. Under certain     circumstances, unpublished content can appear on listing     pages provided by the taxonomy module and will be     visible to users who should not have permission to see     it.

These fixes require extra updates to the database which can be done from the administration pages. Furthermore this update introduces a new security hardening element for the form API. Please refer to the upstream advisory at drupal.org/SA-CORE-2014-001 for further information.

ID	Name	Product	Family	Severity
289456	MiracleLinux 3 : drupal-6.30-1.AXS3 (AXSA:2014-234:01)	Nessus	Miracle Linux Local Security Checks	high
72529	Mandriva Linux Security Advisory : drupal (MDVSA-2014:031)	Nessus	Mandriva Local Security Checks	high
72248	Debian DSA-2851-1 : drupal6 - impersonation	Nessus	Debian Local Security Checks	high
72103	Drupal 7.x < 7.26 Multiple Vulnerabilities	Nessus	CGI abuses	high
72102	Drupal 6.x < 6.30 OpenID Module Account Hijacking	Nessus	CGI abuses	high
72046	Debian DSA-2847-1 : drupal7 - several vulnerabilities	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2014-1475

critical

Tenable Plugins

high

high

high

high

high

high