Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Drupal Security Updates Patch Several Vulnerabilities

The developers of Drupal, the popular open source content management system (CMS), have released versions 6.36 and 7.38 to address multiple vulnerabilities.

These maintenance and security releases address open redirect, information disclosure, and access bypass vulnerabilities.

The developers of Drupal, the popular open source content management system (CMS), have released versions 6.36 and 7.38 to address multiple vulnerabilities.

These maintenance and security releases address open redirect, information disclosure, and access bypass vulnerabilities.

According to an advisory published late on Wednesday, both Drupal 6 and 7 are affected by a critical access bypass flaw (CVE-2015-3234) that allows an attacker to impersonate users and hijack their accounts. The security hole exists in the OpenID module and it can be exploited by a malicious hacker to log in to vulnerable websites as other users, including administrators.

Drupal says the vulnerability can only be exploited against users who have an OpenID account from certain OpenID providers. The list includes Verisign, LiveJournal, StackExchange and others.

Experts have also uncovered two “less critical” open redirect vulnerabilities in Drupal 7. One of these bugs affects the Field UI module and is related to the “destinations” query string parameter used in URLs to redirect users to a new page after they complete an action on certain administration pages.

An attacker can leverage this parameter to create a URL that will redirect users to third party websites. The vulnerability (CVE-2015-3232) can prove highly useful in social engineering attacks. Drupal has pointed out that only sites with the Field UI module enabled are impacted.

Drupal 6 is not affected by this particular bug, but it is plagued by a similar open redirect vulnerability involving the Content Construction Kit (CCK), a set of modules that allow users to add custom fields to nodes using a web browser.

Open redirect attacks are also possible in Drupal 7 because of a bug related to the Overlay module (CVE-2015-3233). This module uses JavaScript to display admin pages in a new layer on top of the current page. The open redirect vulnerability exists because the module doesn’t properly validate URLs before displaying their contents.

Advertisement. Scroll to continue reading.

An attack leveraging this vulnerability only works if the Overlay module is enabled and the targeted user has the “Access the administrative overlay” permission.

The latest version of Drupal 7 also patches an information disclosure flaw related to the render cache system (CVE-2015-3231). Some Drupal websites use the render cache system to cache content by user role. The problem is that private content viewed by “user 1” (a special account created during installation) might be included in the cache, making it accessible to non-privileged users.

Since the render caching system is not used in the Drupal 7 core, an attack exploiting this bug is only possible if the caching system is enabled either via custom code or the Render Cache module. Furthermore, the vulnerability only affects websites where “user 1” is browsing the live site. The vulnerability is also mitigated if an administrative role is assigned to the “user 1” account, Drupal said.

Some of these issues have been identified by Drupal’s own security team. Vladislav Mladenov, Christian Mainka, Christian Koßmann, Michael Smith and Jeroen Vreuls have also been credited for finding flaws fixed with the release of Drupal 6.36 and 7.38.

Users are advised to update their installations as soon as possible.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.