Vigil@nce - Drupal Node.js integration: message sending
April 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An unauthenticated attacker can connect to sockets via the API of
Drupal Node.js integration, in order to send a message to users.
Impacted products: Drupal Modules not comprehensive.
Severity: 2/4.
Creation date: 18/02/2016.
DESCRIPTION OF THE VULNERABILITY
The Node.js integration module can be installed on Drupal.
The module adds realtime capabilities, which can be used to send
messages to connected clients. However, the module does not
disconnect unauthenticated JavaScript (Node.js) sockets.
An unauthenticated attacker can therefore connect to sockets via
the API of Drupal Node.js integration, in order to send a message
to users.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Drupal-Node-js-integration-message-sending-18968