Drupal, a content management software platform that is used to make loads of business websites and applications is urging users to upgrade to the latest release that looks to patch 2 critical remote code execution bugs impacting Drupal 7 and Drupal 8. It doesn’t just stop there, developers have also uncovered three additional “moderately critical” vulnerabilities.
The 2 critical bugs use PHP’s mail function [DefaultMailSystem::mail()] in Drupal 7 and 8 which includes an injection vulnerability in the default Drupal backend.
“A remote attacker could exploit some of these vulnerabilities to take contro of an affected system,” according to a security bulletin posted by the United States Computer Emergency Readiness Team (US CERT).
The advisory of the vulnerability expressed that when using this default mail system to send emails, some variables were not being sanitised for shell arguments, according to a separate advisory released by the Drupal developer community. When the untrusted input is not sanitised correctly that could lead to remote code execution.
This glitch was reported by security researcher and senior web developer Damien Tournoud with Princeton University. A second remote code execution bug, reported by Nick Booher, exists in Drupal 9’s Contextual Links module. In Drupal, these modules supply contextual links that allow privileged users to quickly perform tasks related to regions of the page – without having to navigate to the Admin Dashboard.
Nick also mentioned a second remote code execution bug that exists in Drupal 9’s contextual Links module. However, the contextual links module doesn’t sufficiently validate the requested contextual links. This means that a hacker could launch a remote code execution attack in these links.
There is one upside, states Drupal:
“This vulnerability is mitigated by the fact that an attacker must have a role with the permission ‘access contextual links,’”.
Drupal also acknowledged three other “moderately critical” bugs in its advisory.
The first is an access bypass bug in the content moderation tool in Drupal 8. Essentially, in some conditions, content moderation fails to check a users’ access to use certain transitions – potentially allowing access bypass.
Another open redirect vulnerability in Drupal 7 and 8 allows an external URL injection through URL aliases.
The path module allows users with the ‘administer paths’ to create pretty URLs for content – and that means that “In certain circumstances, the user can enter a particular path that triggers an open redirect to a malicious URL,” Drupal said.
The issue is mitigated by the fact that the user needs the administer paths permission to exploit, Drupal said.
Finally, a “moderately critical” bug in Drupal’s redirect process allows bad actors to trick users into visiting third party websites.
According to Drupal, Drupal core and contributed modules frequently use a “destination” query string parameter in URLs to redirect users to a new destination after completing an action on the current page.
“Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks,” said Drupal.
All bugs were fixed, and Drupal advised users to upgrade to the most recent version of Drupal 7 or 8 core.
“Minor versions of Drupal 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2019,” the company said.
Drupal has had a run through the mill when it comes to vulnerabilities this year, in particular dealing with a flaw (CVE-2018-7600) in March impacting versions 6,7, and 8 of Drupal’s CMS platform, which impacted over one million sites running Drupal.
Contact us fir assistance.
Other Articles You May Enjoy:
Share your thoughts in the Comments section: