Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Drupal 6.x < 6.36 OpenID Security Bypass

Medium

Synopsis

The remote web server is hosting an outdated installation of Drupal that is vulnerable to multiple attack vectors.

Description

The remote web server is running a version of Drupal that is 6.x prior to 6.36. It is, therefore, potentially affected by a security bypass vulnerability due to a flaw in the OpenID module. A remote attacker can exploit this flaw to log in as other users, including administrators. Note that victims must have an existing OpenID account from a particular set of OpenID providers including, but not limited to, Verisign, LiveJournal, or StackExchange.

Solution

Upgrade to Drupal 6.36, or later.