• Advisory ID: DRUPAL-SA-CONTRIB-2014-120
• Project: Piwik Web Analytics (third-party module)
• Version: 7.x
• Date: 2014-December-10
• Security risk: 11/25 ( Moderately Critical) AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon
• Vulnerability: Information Disclosure

Description

This module enables you to integrate Drupal with Piwik Web Analytics.

The module leaks the site specific hash salt to authenticated users when user-id tracking is turned on.

This vulnerability is mitigated by the fact that user-id tracking must be turned on and the attacker needs to have an account on the site.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance
  with Drupal Security Team processes.

Versions affected

• Piwik Web Analytics 7.x-2.6. Neither earlier nor later versions are affected.

Drupal core is not affected. If you do not use the contributed Piwik Web Analytics module,
there is nothing you need to do.

Solution

Install the latest version:

• If you use the Piwik Web Analytics module for Drupal 7.x, upgrade to Piwik Web Analytics 7.x-2.7

Affected sites are urged to generate a new hash salt and store it in settings.php.

Methods to generate a new hash salt

• With drush:
  drush php-eval 'echo(drupal_random_key()) . "n";'
• With openssl:
  openssl rand -base64 32

How to replace the hash salt

1. Open your settings.php file (e.g., sites/default/settings.php
2. Locate the variable $drupal_hash_salt:

   <?php
   /**
    * Salt for one-time login links and cancel links, form tokens, etc.
    * [...]
    */
   $drupal_hash_salt = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
   ?>

3. Replace the value and safe the file
4. Flush all caches either from within the administrative UI (Administration » Configuration » Development » Performance) or by issuing drush cache-clear all

Effects caused by replacing the hash salt

• Passwort reset links generated before the new hash salt will not work anymore. Affected users need to request a new password reset link.
• Existing image style urls will stop working. A cache flush is necessary such that all <img> tags are updated.

If immediate installation / regeneration of the hash salt is not possible, then disable user-id tracking at once.

Also see the Piwik Web Analytics project page.

Reported by

• znerol

Fixed by

• Alexander Hass the module maintainer

Coordinated by

• Klaus Purer of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity