Synopsis
The remote server is hosting an outdated installation of Drupal that is vulnerable to multiple attack vectors.
Description
The remote server is hosting an outdated version of Drupal, a PHP-based open-source content management system. The version of Drupal installed on the remote server is 6.x prior to 6.38, and is affected by the following vulnerabilities :
- A flaw exists in the deserialization of user-supplied session data. An authenticated, remote attacker can exploit this, via truncated session data, to execute arbitrary code.
- A flaw exists in the 'XML-RPC' system due to a failure to limit the number of simultaneous calls being made to the same method. A remote attacker can exploit this to facilitate brute-force attacks.
- A cross-site redirection vulnerability exists due to improper validation of unspecified input before returning it to the user, which can allow the current path to be filled-in with an external URL. A remote attacker can exploit this, via a crafted link, to redirect a user to a malicious web page of the attacker's choosing that targets weaknesses in the client-side software or is used for phishing attacks.
- A flaw exists that allows input, such as JavaScript, to be submitted for form buttons even if '#access' is set to FALSE in the server-side form definition. An authenticated, remote attacker can exploit this to bypass access restrictions.
- A flaw exists in the 'drupal_set_header()' function due to improper sanitization of user-supplied input passed as the header value. A remote attacker can exploit this, via crafted content containing line breaks, to set arbitrary headers.
- A flaw exists in the 'drupal_goto()' function due to a failure to properly validate the content of the '$_REQUEST['destination']' value before returning it to the user. A remote attacker can exploit this, via a crafted link, to redirect a user to a malicious web page of the attacker's choosing that targets weaknesses in the client-side software or is used for phishing attacks.
- An unspecified reflected file download flaw exists that allows an attacker to trick a user into downloading and running a file with arbitrary JSON-encoded content.
- A flaw exists, related to how the 'user_save()' API is utilized, due to assigning improper roles when saving user accounts. An authenticated, remote attacker can exploit this, via crafted data added to a form or array, to gain elevated privileges.
Solution
Upgrade to Drupal 6.38, or later.