Versions 6.35 and 7.35 of the Drupal content management system (CMS) are available for download. These security releases address two moderately critical vulnerabilities.
One of the vulnerabilities can be exploited under certain circumstances to forge password reset URLs. An attacker can leverage the flaw to gain access to user accounts without knowing their password.
The most vulnerable Drupal websites are ones where the same password is used for multiple accounts. In Drupal 7, the flaw is exploitable only if website administrators import or programmatically edit accounts in a way that results in the same password hash for multiple accounts. In Drupal 6, the vulnerability is also exploitable if administrators create multiple new user accounts with the same password, or if the password hash field in the database is empty.
“Drupal 6 sites that have empty password hashes, or a password field with a guessable string in the database, are especially prone to this vulnerability. This could apply to sites that use external authentication so that the password field is set to a fixed, invalid value,” Drupal said in a security advisory.
The open redirect vulnerability fixed with the release of Drupal 6.35 and 7.35 is related to the “destination” parameter, which is often used in URLs to redirect users to a new page after they have completed an action.
“Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks,” Drupal said. “In addition, several URL-related API functions in Drupal 6 and 7 can be tricked into passing through external URLs when not intending to, potentially leading to additional open redirect vulnerabilities.”
The vulnerabilities affect Drupal 6.x versions prior to 6.35 and Drupal 7.x versions prior to 7.35. Users are advised to update their installations as soon as possible.
The access bypass issue was reported by Daniël Smidt, while the open redirect flaw was identified by members of the Drupal security team.
Currently, there are more than 1.1 million websites using Drupal. According to Drupal, version 7 is the most popular with roughly 983,000 installs.