Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2014-120
- Project: Piwik Web Analytics (third-party module)
- Version: 7.x
- Date: 2014-December-10
- Security risk: 11/25 ( Moderately Critical) AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon
- Vulnerability: Information Disclosure
Description
This module enables you to integrate Drupal with Piwik Web Analytics.
The module leaks the site specific hash salt to authenticated users when user-id tracking is turned on.
This vulnerability is mitigated by the fact that user-id tracking must be turned on and the attacker needs to have an account on the site.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
- Piwik Web Analytics 7.x-2.6. Neither earlier nor later versions are affected.
Drupal core is not affected. If you do not use the contributed Piwik Web Analytics module,
there is nothing you need to do.
Solution
Install the latest version:
- If you use the Piwik Web Analytics module for Drupal 7.x, upgrade to Piwik Web Analytics 7.x-2.7
Affected sites are urged to generate a new hash salt and store it in settings.php.
Methods to generate a new hash salt
- With drush:
drush php-eval 'echo(drupal_random_key()) . "\n";' - With openssl:
openssl rand -base64 32
How to replace the hash salt
- Open your
settings.phpfile (e.g.,sites/default/settings.php - Locate the variable
$drupal_hash_salt:
/** * Salt for one-time login links and cancel links, form tokens, etc. * [...] */ $drupal_hash_salt = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'; - Replace the value and safe the file
- Flush all caches either from within the administrative UI (Administration » Configuration » Development » Performance) or by issuing
drush cache-clear all
Effects caused by replacing the hash salt
- Password reset links generated before the new hash salt will not work anymore. Affected users need to request a new password reset link.
- Existing image style urls will stop working. A cache flush is necessary such that all
<img>tags are updated.
If immediate installation / regeneration of the hash salt is not possible, then disable user-id tracking at once.
Also see the Piwik Web Analytics project page.
Reported by
Fixed by
- Alexander Hass the module maintainer
Coordinated by
- Klaus Purer of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
