PT-2016-5396 · Php+1 · Php+1
Pere Orga
·
Published
2016-04-12
·
Updated
2022-05-17
·
CVE-2016-3167
CVSS v3.1
7.4
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Drupal versions 6.x before 6.38
Description
The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. This is achieved via a double-encoded URL in the
destination parameter of the drupal goto function, specifically when used with PHP before 5.4.7.Recommendations
For Drupal versions 6.x before 6.38, update to version 6.38 or later to resolve the issue. As a temporary workaround, consider restricting access to the drupal goto function to minimize the risk of exploitation. Avoid using the
destination parameter in the affected function until the issue is resolved.Exploit
Fix
Open Redirect
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Drupal
Php