Miggo Logo
Miggo Vulnerability Database
CVE-2016-3171

CVE-2016-3171:
Drupal arbitrary code execution

8.1

CVSS Score
3.0

Basic Information

CVE ID
CVE-2016-3171
GHSA ID
GHSA-69g8-g9jq-74v7
EPSS Score
0.91779%
CWE
CWE-94
Published
5/17/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
drupal/corecomposer>= 6.0, < 6.386.38
drupal/drupalcomposer>= 6.0, < 6.386.38

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability CVE-2016-3171 arises from a combination of Drupal 6.x's session handling and specific PHP versions (before 5.4.45, 5.5.29, 5.6.13) that improperly truncate session data. This truncation can lead to unsafe deserialization of user-controlled data, enabling arbitrary code execution. However, the core issue lies in PHP's session management and serialization behavior, not in specific Drupal functions. Drupal's session handling (e.g., _drupal_session_read()) interacts with PHP's vulnerable session mechanisms, but no Drupal functions directly contain exploitable code. The vulnerability is environmental, requiring outdated PHP versions, and no specific Drupal functions can be pinpointed with high confidence based on the provided information.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*rup*l *.x ***or* *.**, w**n us** wit* P*P ***or* *.*.**, *.*.x ***or* *.*.**, or *.*.x ***or* *.*.**, mi**t *llow r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** vi* v**tors r*l*t** to s*ssion **t* trun**tion.

Reasoning

T** vuln*r**ility *V*-****-**** *ris*s *rom * *om*in*tion o* *rup*l *.x's s*ssion **n*lin* *n* sp**i*i* P*P v*rsions (***or* *.*.**, *.*.**, *.*.**) t**t improp*rly trun**t* s*ssion **t*. T*is trun**tion **n l*** to uns*** **s*ri*liz*tion o* us*r-*on