CVE-2012-4554
published 2012-11-11CVE-2012-4554: The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file.
PriorityP342medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
15.81%
96.5th percentile
The OpenID module in Drupal 7.x before 7.16 allows remote OpenID servers to read arbitrary files via a crafted DOCTYPE declaration in an XRDS file.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect crafted DOCTYPE declarations in XRDS files returned by remote OpenID servers, which may indicate an XXE injection attempt targeting the Drupal OpenID module. ↗
- →Monitor Drupal OpenID authentication flows for responses containing DOCTYPE declarations with SYSTEM or PUBLIC entity references, which are characteristic of XXE payloads used to read arbitrary files. ↗
- ·Vulnerability only affects Drupal 7.x installations with the OpenID module explicitly enabled; sites without OpenID enabled are not affected. ↗
- ·The attack is triggered by a remote OpenID server returning a malicious XRDS file; exploitation requires the victim Drupal site to initiate an OpenID authentication request to an attacker-controlled endpoint. ↗
- ·Fixed in Drupal 7.16; versions 7.x before 7.16 are vulnerable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://drupal.org/node/1815912http://drupalcode.org/project/drupal.git/commit/b912710http://www.openwall.com/lists/oss-security/2012/10/29/4http://www.openwall.com/lists/oss-security/2012/10/30/5http://drupal.org/node/1815912http://drupalcode.org/project/drupal.git/commit/b912710http://www.openwall.com/lists/oss-security/2012/10/29/4http://www.openwall.com/lists/oss-security/2012/10/30/5
2012-11-11
Published