Bug 807859 - (CVE-2007-6752) CVE-2007-6752 drupal: CSRF flaw allows remote attackers to force user logout
CVE-2007-6752 drupal: CSRF flaw allows remote attackers to force user logout
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
  Show dependency treegraph
Reported: 2012-03-28 19:47 EDT by Vincent Danen
Modified: 2018-03-01 10:18 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-03-28 19:47:59 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6752 to
the following vulnerability:

Name: CVE-2007-6752
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6752
Assigned: 20120327
Reference: EXPLOIT-DB:18564
Reference: http://www.exploit-db.com/exploits/18564/
Reference: http://drupal.org/node/144538
Reference: http://groups.drupal.org/node/216314
Reference: http://ivanobinetti.blogspot.it/2012/03/drupal-cms-712-latest-stable-release.html
Reference: http://packetstormsecurity.org/files/110404/drupal712-xsrf.txt

** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in
Drupal 7.12 and earlier allows remote attackers to hijack the
authentication of arbitrary users for requests that end a session via
the user/logout URI.  NOTE: the vendor disputes the significance of
this issue, by considering the "security benefit against platform
complexity and performance impact" and concluding that a change to the
logout behavior

NOTE: I was able to reproduce this on drupal6 as well.
Comment 1 Vincent Danen 2012-03-28 19:55:34 EDT
Also forgot to note that there is currently no upstream fix for this as of yet, so I'm not filing Fedora or EPEL trackers for it.
Comment 2 Gwyn Ciesla 2012-03-29 08:58:29 EDT
Eek.  What a tempest.  It looks like neither the exploit nor the patch attempts are meeting with much success so far.  I'll keep an eye on this.
Comment 3 Greg Knaddison 2012-03-29 19:56:01 EDT
I believe the analysis of this report could be applied, for example, to Bugzilla and find it has similar flaws. Bugzilla uses  an input type="hidden" name="token" value="long-hash" to provide csrf protection, no? And if someone could sniff that value via mitm or client-side sniffing, does bugzilla have protection such as referrer detection?

The CSRF logout "vulnerability" seems to exist as well. Consider this attack <img src="https://bugzilla.redhat.com/index.cgi?logout=1">

I welcome your analysis and the Drupal project is open to constructive criticism, but I believe most web applications are vulnerable to these issues. That's why we suggest fixes that are at different layers in the stack (e.g. https).

For sites built in Drupal that need extra protection (e.g. for the logout issue) there is a contributed module at http://drupal.org/sandbox/davereid/1332490 which uses our standard token system.

Sites that want to add referrer detection to some or all form actions could do so via the Form API, though I'm not aware of such a module in existence.
Comment 4 Ivano Binetti 2012-04-05 14:02:42 EDT
Greg, to exploit this vulnerability (force administrator/user's logout) you don't need to sniff anti-CSRF token. You have only to create a web page containing a simple POST (or GET, as Drupal don't care about it) http request , as explained in my Original Advisory (http://www.webapp-security.com/wp-content/uploads/2012/03/Drupal-7.12-latest-stable-release-Multiple-Vulnerabilities.txt). 

As I've already explained in Drupal's Group (http://groups.drupal.org/node/216314)
only to add Drupal Administrator you have to sniff anti-CSRF token due to a "problem" related to token's logic generation. MITRE CVE Numbering Authority classified my recommendations about token generation as Drupal's "security improvements".

Note You need to log in before you can comment on or make changes to this bug.