CVE-2009-2374 in Drupal
Summary
by MITRE
Drupal 5.x before 5.19 and 6.x before 6.13 does not properly sanitize failed login attempts for pages that contain a sortable table, which includes the username and password in links that can be read from (1) the HTTP referer header of external web sites that are visited from those links or (2) when page caching is enabled, the Drupal page cache.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/06/2025
This vulnerability affects Drupal content management systems versions 5.x prior to 5.19 and 6.x prior to 6.13, specifically targeting the handling of failed login attempts on pages containing sortable tables. The flaw stems from inadequate input sanitization during authentication failure scenarios, creating a potential information disclosure risk that can be exploited through multiple attack vectors. The vulnerability is particularly concerning because it leverages the HTTP referer header mechanism and Drupal's page caching functionality to expose sensitive authentication data.
The technical implementation of this vulnerability occurs when users attempt to log in to Drupal sites with invalid credentials on pages that contain sortable table elements. During these failed authentication attempts, the system generates links that include the username and password information in their URLs. This happens because the system fails to properly sanitize the authentication parameters before including them in the links that are part of the sortable table functionality. The vulnerability is categorized under CWE-20 as "Improper Input Validation" and relates to CWE-200 as "Information Exposure" since it exposes sensitive authentication data through unintended channels.
The operational impact of this vulnerability is significant as it allows attackers to obtain valid username and password combinations through passive reconnaissance methods. When users click on links from external websites, the HTTP referer header contains the full URL including authentication parameters, which can be read by external sites. Additionally, when page caching is enabled, the Drupal cache may store these vulnerable links, making the information accessible to anyone who can access the cached pages. This creates a persistent exposure risk that extends beyond individual user sessions and can be exploited by attackers monitoring network traffic or accessing cached content.
The vulnerability aligns with several ATT&CK techniques including T1566.001 "Phishing" through the potential for attackers to craft malicious links that appear legitimate while containing authentication data, and T1071.004 "Application Layer Protocol: DNS" since the referer header information can be extracted through DNS monitoring. The attack surface is broad as it affects any Drupal installation using sortable tables on login or administrative pages, particularly those with page caching enabled. The exploit requires minimal technical skill and can be automated to harvest credentials from multiple sites, making it particularly dangerous in environments where users frequently navigate between sites.
Mitigation strategies include applying the official security patches released by Drupal for versions 5.19 and 6.13, which properly sanitize the authentication data in sortable table links. Organizations should also implement proper HTTP referer header filtering to prevent sensitive information leakage, disable unnecessary page caching for authentication-related pages, and consider implementing additional authentication security measures such as account lockout mechanisms and multi-factor authentication. Network monitoring should be enhanced to detect suspicious referer header patterns, and regular security audits should verify that all sortable table functionality properly sanitizes user inputs. The vulnerability demonstrates the importance of input validation across all user interface elements and highlights the need for comprehensive security testing of web application components that handle sensitive data.