Miggo Logo
Miggo Vulnerability Database
CVE-2012-1589

CVE-2012-1589:
Drupal Open Redirect

5.8

CVSS Score

Basic Information

CVE ID
CVE-2012-1589
GHSA ID
GHSA-wwrm-8947-4m6c
EPSS Score
0.62641%
CWE
CWE-20
Published
5/17/2022
Updated
8/29/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:P/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
drupal/drupalcomposer>= 7.0, < 7.137.13

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper validation of the 'destination' parameter in Drupal's Form API. The functions drupal_get_destination() and drupal_goto() are core components of Drupal's redirection logic. drupal_get_destination() retrieves user-supplied 'destination' values without sufficient validation, and drupal_goto() executes the redirect. The lack of checks for internal URLs in these functions (prior to Drupal 7.13) allowed external redirects. This aligns with CWE-20 (input validation failure) and CWE-601 (open redirect), as described in the advisories. The Form API's reliance on these functions for post-submit redirection makes them the primary vectors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Op*n r**ir**t vuln*r**ility in t** *orm *PI in *rup*l *.x ***or* *.** *llows r*mot* *tt**k*rs to r**ir**t us*rs to *r*itr*ry w** sit*s *n* *on*u*t p*is*in* *tt**ks vi* *r**t** p*r*m*t*rs in * **stin*tion URL.

Reasoning

T** vuln*r**ility st*ms *rom improp*r v*li**tion o* t** '**stin*tion' p*r*m*t*r in *rup*l's *orm *PI. T** *un*tions *rup*l_**t_**stin*tion() *n* *rup*l_*oto() *r* *or* *ompon*nts o* *rup*l's r**ir**tion lo*i*. *rup*l_**t_**stin*tion() r*tri*v*s us*r-