Miggo Logo

CVE-2016-3167: Drupal Open redirect vulnerability in the drupal_goto function

7.4

CVSS Score
3.0

Basic Information

EPSS Score
0.69398%
Published
5/17/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
drupal/corecomposer>= 6.0, < 6.386.38
drupal/drupalcomposer>= 6.0, < 6.386.38

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability title and CVE description explicitly name drupal_goto as the vulnerable function. The core issue stems from its handling of the 'destination' parameter - it performs a single rawurldecode() call but fails to account for double-encoded payloads that bypass Drupal's URL validation when PHP's built-in request parameter parsing automatically decodes inputs. This combination allows the redirect protection to be circumvented. The file path is confirmed through Drupal 6's code structure where common utilities like drupal_goto reside in includes/common.inc.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Op*n r**ir**t vuln*r**ility in t** *rup*l_*oto *un*tion in *rup*l *.x ***or* *.**, w**n us** wit* P*P ***or* *.*.*, *llows r*mot* *tt**k*rs to r**ir**t us*rs to *r*itr*ry w** sit*s *n* *on*u*t p*is*in* *tt**ks vi* * *ou*l*-*n*o*** URL in t** "**stin*

Reasoning

T** vuln*r**ility titl* *n* *V* **s*ription *xpli*itly n*m* *rup*l_*oto *s t** vuln*r**l* *un*tion. T** *or* issu* st*ms *rom its **n*lin* o* t** '**stin*tion' p*r*m*t*r - it p*r*orms * sin*l* r*wurl***o**() **ll *ut **ils to ***ount *or *ou*l*-*n*o*