CVE-2014-9016

Drupal <7.34, phpass <6.2.1 - DoS

Title source: llm

Description

The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.

Exploits (3)

exploitdb WORKING POC

by Javer Nieto & Andres Rojas · textdosphp

https://www.exploit-db.com/exploits/35415

View Code ZIP pw:eip

nomisec WORKING POC 13 stars

by c0r3dump3d · poc

https://github.com/c0r3dump3d/wp_drupal_timing_attack

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by Primus27 · poc

https://github.com/Primus27/WordPress-Long-Password-Denial-of-Service

View Code ZIP pw:eip

References (9)

[Third Party Advisory] http://secunia.com/advisories/59164

[Third Party Advisory] http://secunia.com/advisories/59814

[Third Party Advisory] http://www.debian.org/security/2014/dsa-3075

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2014/11/20/21

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2014/11/20/3

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2014/11/21/1

[Vendor Advisory] https://www.drupal.org/SA-CORE-2014-006

[Patch, Vendor Advisory] https://www.drupal.org/node/2378367

[Patch, Vendor Advisory] https://www.drupal.org/node/2378375

Scores

EPSS 0.7979

EPSS Percentile 99.1%

Details

Status published

Products (3)

debian/debian_linux 7.0

drupal/drupal 7.0 - 7.34

secure_password_hashes_project/secure_passwords_hashes 6.x-2.0 - 6.x-2.1

Published Nov 24, 2014

Tracked Since Feb 18, 2026