CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:N/I:P/A:N
EPSS
Percentile
60.2%
The Hashcash project is an implementation of a Proof Of Work (POW) or Puzzle scheme where users of a service have to do computational work to have their request granted. In the case of the Drupal Hashcash project, the service is ‘form submission’ and the Proof Of Work is a token that causes a partial hash collision when concatenated with a given string. This is intended to stop spam submissions to a site.
When an invalid token is received and the setting “Log failed hashcash” is enabled, the invalid token is written to watchdog with incorrect placeholders.
This enables an attacker to insert arbitrary scripts into certain pages displayed to administrators via the core module Database logging.
Mitigation: The setting “Log failed hashcash” is disabled by default.
The Hashcash project also fails as a proper proof of work scheme:
The protection against spambots offered by the Drupal Hashcash project hinges on the lack of interest on behalf of an attacker.
CVE: CVE-2012-4469
Drupal core is not affected. If you do not use the contributed Hashcash module, there is nothing you need to do.
To solve the cross site scripting issue, install the latest version:
There is no solution for the insufficient proof of work. You need to consider the consequences of this for your sites.
Also see the Hashcash project page.