This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A flaw in Drupal's password hashing API allows **CPU exhaustion**.β¦
π‘οΈ **Root Cause**: Input validation error in the **password hashing API**. π **Flaw**: The system fails to limit computational cost for specific inputs, leading to resource exhaustion. (CWE not specified in data).
Q3Who is affected? (Versions/Components)
π¦ **Affected**: **Drupal 7.33** and earlier. π **Modules**: **Drupal Secure Password Hashes** (phpass) version **6.x-2.0** and earlier. π **Tech**: PHP-based CMS.
Q4What can hackers do? (Privileges/Data)
π― **Action**: Hackers cause **DoS** (CPU spike). π« **Privileges**: No direct data theft or RCE mentioned. β οΈ **Impact**: Service unavailability, not necessarily data breach.
Q5Is exploitation threshold high? (Auth/Config)
β‘ **Threshold**: **Low**. π **Auth**: **Remote** exploitation possible. π **Config**: No authentication required to send the crafted request. Any visitor can trigger it.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Exploit**: **Yes**. π **PoC**: Python scripts available on GitHub (e.g., `wp_drupal_timing_attack`, `WordPress-Long-Password-Denial-of-Service`).β¦
π **Check**: Scan for **Drupal 7.33-** or **phpass 6.x-2.0-**. π‘ **Indicator**: Look for unusual **CPU spikes** during login/password reset attempts.β¦
π§ **Workaround**: If patching is delayed, implement **rate limiting** on login/password endpoints. π **Mitigation**: Use WAF rules to block excessive hashing requests.β¦