Bug 807859 (CVE-2007-6752)
| Summary: | CVE-2007-6752 drupal: CSRF flaw allows remote attackers to force user logout | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | greg.knaddison, gwync, ivano.binetti, stickster, sven |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-03-21 23:07:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Vincent Danen
2012-03-28 23:47:59 UTC
Also forgot to note that there is currently no upstream fix for this as of yet, so I'm not filing Fedora or EPEL trackers for it. Eek. What a tempest. It looks like neither the exploit nor the patch attempts are meeting with much success so far. I'll keep an eye on this. I believe the analysis of this report could be applied, for example, to Bugzilla and find it has similar flaws. Bugzilla uses an input type="hidden" name="token" value="long-hash" to provide csrf protection, no? And if someone could sniff that value via mitm or client-side sniffing, does bugzilla have protection such as referrer detection? The CSRF logout "vulnerability" seems to exist as well. Consider this attack <img src="https://bugzilla.redhat.com/index.cgi?logout=1"> I welcome your analysis and the Drupal project is open to constructive criticism, but I believe most web applications are vulnerable to these issues. That's why we suggest fixes that are at different layers in the stack (e.g. https). For sites built in Drupal that need extra protection (e.g. for the logout issue) there is a contributed module at http://drupal.org/sandbox/davereid/1332490 which uses our standard token system. Sites that want to add referrer detection to some or all form actions could do so via the Form API, though I'm not aware of such a module in existence. Greg, to exploit this vulnerability (force administrator/user's logout) you don't need to sniff anti-CSRF token. You have only to create a web page containing a simple POST (or GET, as Drupal don't care about it) http request , as explained in my Original Advisory (http://www.webapp-security.com/wp-content/uploads/2012/03/Drupal-7.12-latest-stable-release-Multiple-Vulnerabilities.txt). As I've already explained in Drupal's Group (http://groups.drupal.org/node/216314) only to add Drupal Administrator you have to sniff anti-CSRF token due to a "problem" related to token's logic generation. MITRE CVE Numbering Authority classified my recommendations about token generation as Drupal's "security improvements". |