Vigil@nce - Drupal Encrypt: encryption with Drupal private key
December 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can obtain the site private key via Drupal Encrypt, in
order to decrypt sensitive data.
Impacted products: Drupal Modules not comprehensive.
Severity: 1/4.
Creation date: 19/11/2015.
DESCRIPTION OF THE VULNERABILITY
The Encrypt module can be installed on Drupal to encrypt data.
However, by default, the Drupal private key is used. This key may
thus be transmitted outside the site, and the recipient will be
able to decrypt other site data.
An attacker can therefore obtain the site private key via Drupal
Encrypt, in order to decrypt sensitive data.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Drupal-Encrypt-encryption-with-Drupal-private-key-18336