Vigil@nce - Drupal Mime Mail : mail spoofing
mars 2014 par Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can predict a random used by Drupal Mime Mail, in
order to send a spoofed email.
Impacted products : Drupal Modules
Severity : 2/4
Creation date : 27/02/2014
DESCRIPTION OF THE VULNERABILITY
The Mime Mail module can be installed on Drupal.
Incoming emails are authenticated by a random key. However, on
some platforms, such as Windows, this random can only have 32767
different values.
An attacker can therefore predict a random used by Drupal Mime
Mail, in order to send a spoofed email.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Drupal-Mime-Mail-mail-spoofing-14332