BID:53365

Drupal Core URI Redirection Vulnerability

Info

Drupal Core URI Redirection Vulnerability

Bugtraq ID:	53365
Class:	Input Validation Error
CVE:	CVE-2012-1589
Remote:	Yes
Local:	No
Published:	May 03 2012 12:00AM
Updated:	Apr 09 2013 01:38PM
Credit:	Károly Négyesi
Vulnerable:	Drupal Drupal 7.12 Drupal Drupal 7.11 Drupal Drupal 7.10 Drupal Drupal 7.1 Drupal Drupal 7.0 Dev Drupal Drupal 7.0 Alpha7 Drupal Drupal 7.0 Alpha6 Drupal Drupal 7.0 Alpha5 Drupal Drupal 7.0 Alpha4 Drupal Drupal 7.0 Alpha3 Drupal Drupal 7.0 Alpha2 Drupal Drupal 7.0 Alpha1 Drupal Drupal 7.0

Not Vulnerable:	Drupal Drupal 7.13

Discussion

Drupal Core URI Redirection Vulnerability

Drupal is prone to an open-redirection vulnerability because the application fails to properly sanitize user-supplied input.

An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.

Drupal versions 7.x through 7.12 are vulnerable.

Exploit / POC

Drupal Core URI Redirection Vulnerability

An attacker can exploit this issue by enticing an unsuspecting victim to follow a malicious URI.

Solution / Fix

Drupal Core URI Redirection Vulnerability

Solution:
Updates are available. Please see the references for more details.

References

Drupal Core URI Redirection Vulnerability

References:

Drupal Homepage (Drupal)
SA-CORE-2012-002 - Drupal core multiple vulnerabilities (DRUPAL)