New Drupal versions fix admin account hijack flaw

New versions of popular open source content management system Drupal are out, and fix a series of vulnerabilities, including a critical one that can result in an attacker taking over administrator accounts.

“A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts,” the Drupal security team explained in an advisory.

“This vulnerability (CVE-2015-3234) is mitigated by the fact that the victim must have an account with an associated OpenID identity from a particular set of OpenID providers (including, but not limited to, Verisign, LiveJournal, or StackExchange).”

The other three flaw are less critical – serious enough if the attacker can exploit them, but exploitation is difficult because of certain mitigation factors.

For example, CVE-2015-3232 is a flaw in the Field UI module that allows, under certain circumstances, malicious users to use the “destinations” query string parameter to construct a URL that will trick users into being redirected to a potentially malicious 3rd party website. But this attack can only be executed only on sites where the Field UI module is enabled.

The developers “strongly recommend” users to update to Drupal versions 6.36 and 7.38.