• Advisory ID: DRUPAL-SA-CORE-2015-004
• Project: Drupal core
• Version: 7.x
• Date: 2015-October-21
• Security risk: 9/25 ( Less Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Default
• Vulnerability: Open Redirect

Description

The Overlay module in Drupal core displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.

This vulnerability is mitigated by the fact that it can only be used against site users who have the “Access the administrative overlay” permission, and that the Overlay module must be enabled.

An incomplete fix for this issue was released as part of SA-CORE-2015-002.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• Drupal core 7.x versions prior to 7.41.

Solution

Install the latest version:

• If you use Drupal 7.x, upgrade to Drupal 7.41

Also see the Drupal core project page.

Reported by

• Samuel Mortenson
• Pere Orga of the Drupal Security Team

Fixed by

• Pere Orga of the Drupal Security Team
• David Rothstein of the Drupal Security Team

Coordinated by

• The Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity