Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Drupal Patches Flaw Exploited in Spam Campaigns

Drupal security updates released on Wednesday address several vulnerabilities, including one that has been exploited in spam campaigns.

The flaw exploited in the wild, patched with the release of Drupal versions 7.56 and 8.3.4, is a moderately critical access bypass vulnerability tracked as CVE-2017-6922.

Drupal security updates released on Wednesday address several vulnerabilities, including one that has been exploited in spam campaigns.

The flaw exploited in the wild, patched with the release of Drupal versions 7.56 and 8.3.4, is a moderately critical access bypass vulnerability tracked as CVE-2017-6922.

The problem is that files uploaded by anonymous users to a private file system can be accessed by all anonymous users, not just the user who uploaded them, as it should be. The security hole only affects websites that allow anonymous users to upload files to a private file system.

Drupal has known about attacks exploiting this flaw since October 2016. At the time, it warned that misconfigured websites had been abused by malicious actors to host files and point users and search engines to them. The latest updates for Drupal 7 and 8 introduce a protection that should prevent exploitation.

“For example, if a webform configured to allow anonymous visitors to upload an image into the public file system, that image would then be accessible by anyone on the internet. The site could be used by an attacker to host images and other files that the legitimate site maintainers would not want made publicly available through their site,” the Drupal Security Team said in its October 2016 advisory.

Drupal 8.3.4 also patches a critical issue related to how the PECL YAML parser handles unsafe objects. An attacker can exploit the flaw, tracked as CVE-2017-6920, for remote code execution.

Another vulnerability fixed in Drupal 8 is a less critical improper field validation bug (CVE-2017-6921).

“A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource,” Drupal said in its advisory.

Advertisement. Scroll to continue reading.

The Drupal Security Team warned users in mid-April that a serious vulnerability affected a third-party module named References, which had been used by more than 121,000 websites. The module had no longer been supported and Drupal initially advised users to migrate to a different product. However, a new maintainer took over the project shortly after and the flaw was addressed.

Related: Recently Patched Drupal Flaw Exploited in the Wild

Related: Several Vulnerabilities Patched in Drupal 8

Related: Drupal Patches Critical Access Bypass Flaw

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights