Abstract Advisory Information
CERT-XLM have found a security issue affecting the Drupal security module named SecKit (https://www.drupal.org/project/seckit). When a Drupal site, through the security module named SecKit, use a Content-Security-Policy behaving in “reporting” mode, each policy violation generate a hit (HTTP POST request) on the notification URL specified in the policy (by default is https://mysite.com/admin/config/system/seckit/csp-report). This notification URL is reachable from anonymous point of view. Using this fact, the notification endpoint in charge of handling the notification hit, can be abused in order to block access for administrator to recent event log messages in Drupal panel located at the following URL: https://mysite.com/admin/reports/dblog. This blocking is useful, for example, to hide malicious parallel activity on site. Moreover, this issue can also be used to cause a DOS. Excellium CSIRT vulnerability identifier affected to this issue is XLM-2016-121
Version inferior or equals to SecKit 7.x-1.9
Common Vulnerability Scoring System
A new feature named “flood control” is available in version “7.x-1.x-dev” and superior. This feature allows Drupal administrators to define limits on frequency and length on CSP notification events sent. CERT-XLM also recommends to define a length limit on requests sent to the SecKit endpoint at infrastructure level (WAF, Web Server, and PHP configuration).
Vulnerability Disclosure Timeline
- 2016-09-02: Security note sent to Drupal Security team about the vulnerability.
- 2016-09-02: Acknowledge from Drupal Security team about reception of our note and start of technical exchanges with CERT-XLM.
- 2016-09-04: Drupal Security team refuse the creation of a CVE because they do not consider this issue as a security issue.
- 2016-09-05: End of technical exchange with CERT-XLM, let Drupal Security team finalize the “flood control” feature.
- 2016-10-05: Publishing of the Security Advisory.