- Advisory ID: DRUPAL-SA-CONTRIB-2014-119
- Project: Google Analytics (third-party module)
- Version: 7.x
- Date: 2014-December-10
- Security risk: 11/25 ( Moderately Critical) AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon
- Vulnerability: Information Disclosure
Description
This module enables you to integrate Drupal with Google Analytics.
The module leaks the site specific hash salt to authenticated users when user-id tracking is turned on.
This vulnerability is mitigated by the fact that user-id tracking must be turned on and the attacker needs to have an account on the site.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
- Google Analytics 7.x-2.0. Neither earlier nor later versions are affected.
Drupal core is not affected. If you do not use the contributed Google Analytics module,
there is nothing you need to do.
Solution
Install the latest version:
- If you use the Google Analytics module for Drupal 7.x, upgrade to Google Analytics 7.x-2.1
Affected sites are urged to generate a new hash salt and store it in settings.php
.
Methods to generate a new hash salt
- With drush:
drush php-eval 'echo(drupal_random_key()) . "n";'
- With openssl:
openssl rand -base64 32
How to replace the hash salt
- Open your
settings.php
file (e.g.,sites/default/settings.php
- Locate the variable
$drupal_hash_salt
:<?php
/**
* Salt for one-time login links and cancel links, form tokens, etc.
* [...]
*/
$drupal_hash_salt = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
?> - Replace the value and safe the file
- Flush all caches either from within the administrative UI (Administration » Configuration » Development » Performance) or by issuing
drush cache-clear all
Effects caused by replacing the hash salt
- Password reset links generated before the new hash salt will not work anymore. Affected users need to request a new password reset link.
- Existing image style urls will stop working. A cache flush is necessary such that all
<img>
tags are updated.
If immediate installation / regeneration of the hash salt is not possible, then disable user-id tracking at once.
Also see the Google Analytics project page.
Reported by
- Alexander Hass the module maintainer
- znerol
Fixed by
- Alexander Hass the module maintainer
Coordinated by
- Klaus Purer of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity