Bug 807859 (CVE-2007-6752) - CVE-2007-6752 drupal: CSRF flaw allows remote attackers to force user logout
Summary: CVE-2007-6752 drupal: CSRF flaw allows remote attackers to force user logout
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2007-6752
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-28 23:47 UTC by Vincent Danen
Modified: 2019-09-29 12:51 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-03-21 23:07:51 UTC


Attachments (Terms of Use)

Description Vincent Danen 2012-03-28 23:47:59 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6752 to
the following vulnerability:

Name: CVE-2007-6752
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6752
Assigned: 20120327
Reference: EXPLOIT-DB:18564
Reference: http://www.exploit-db.com/exploits/18564/
Reference: http://drupal.org/node/144538
Reference: http://groups.drupal.org/node/216314
Reference: http://ivanobinetti.blogspot.it/2012/03/drupal-cms-712-latest-stable-release.html
Reference: http://packetstormsecurity.org/files/110404/drupal712-xsrf.txt

** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in
Drupal 7.12 and earlier allows remote attackers to hijack the
authentication of arbitrary users for requests that end a session via
the user/logout URI.  NOTE: the vendor disputes the significance of
this issue, by considering the "security benefit against platform
complexity and performance impact" and concluding that a change to the
logout behavior

NOTE: I was able to reproduce this on drupal6 as well.

Comment 1 Vincent Danen 2012-03-28 23:55:34 UTC
Also forgot to note that there is currently no upstream fix for this as of yet, so I'm not filing Fedora or EPEL trackers for it.

Comment 2 Gwyn Ciesla 2012-03-29 12:58:29 UTC
Eek.  What a tempest.  It looks like neither the exploit nor the patch attempts are meeting with much success so far.  I'll keep an eye on this.

Comment 3 Greg Knaddison 2012-03-29 23:56:01 UTC
I believe the analysis of this report could be applied, for example, to Bugzilla and find it has similar flaws. Bugzilla uses  an input type="hidden" name="token" value="long-hash" to provide csrf protection, no? And if someone could sniff that value via mitm or client-side sniffing, does bugzilla have protection such as referrer detection?

The CSRF logout "vulnerability" seems to exist as well. Consider this attack <img src="https://bugzilla.redhat.com/index.cgi?logout=1">

I welcome your analysis and the Drupal project is open to constructive criticism, but I believe most web applications are vulnerable to these issues. That's why we suggest fixes that are at different layers in the stack (e.g. https).

For sites built in Drupal that need extra protection (e.g. for the logout issue) there is a contributed module at http://drupal.org/sandbox/davereid/1332490 which uses our standard token system.

Sites that want to add referrer detection to some or all form actions could do so via the Form API, though I'm not aware of such a module in existence.

Comment 4 Ivano Binetti 2012-04-05 18:02:42 UTC
Greg, to exploit this vulnerability (force administrator/user's logout) you don't need to sniff anti-CSRF token. You have only to create a web page containing a simple POST (or GET, as Drupal don't care about it) http request , as explained in my Original Advisory (http://www.webapp-security.com/wp-content/uploads/2012/03/Drupal-7.12-latest-stable-release-Multiple-Vulnerabilities.txt). 

As I've already explained in Drupal's Group (http://groups.drupal.org/node/216314)
only to add Drupal Administrator you have to sniff anti-CSRF token due to a "problem" related to token's logic generation. MITRE CVE Numbering Authority classified my recommendations about token generation as Drupal's "security improvements".


Note You need to log in before you can comment on or make changes to this bug.