Connect with us

Hi, what are you looking for?



Drupal Security Updates Patch Several Vulnerabilities

The developers of Drupal, the popular open source content management system (CMS), have released versions 6.36 and 7.38 to address multiple vulnerabilities.

These maintenance and security releases address open redirect, information disclosure, and access bypass vulnerabilities.

The developers of Drupal, the popular open source content management system (CMS), have released versions 6.36 and 7.38 to address multiple vulnerabilities.

These maintenance and security releases address open redirect, information disclosure, and access bypass vulnerabilities.

According to an advisory published late on Wednesday, both Drupal 6 and 7 are affected by a critical access bypass flaw (CVE-2015-3234) that allows an attacker to impersonate users and hijack their accounts. The security hole exists in the OpenID module and it can be exploited by a malicious hacker to log in to vulnerable websites as other users, including administrators.

Drupal says the vulnerability can only be exploited against users who have an OpenID account from certain OpenID providers. The list includes Verisign, LiveJournal, StackExchange and others.

Experts have also uncovered two “less critical” open redirect vulnerabilities in Drupal 7. One of these bugs affects the Field UI module and is related to the “destinations” query string parameter used in URLs to redirect users to a new page after they complete an action on certain administration pages.

An attacker can leverage this parameter to create a URL that will redirect users to third party websites. The vulnerability (CVE-2015-3232) can prove highly useful in social engineering attacks. Drupal has pointed out that only sites with the Field UI module enabled are impacted.

Drupal 6 is not affected by this particular bug, but it is plagued by a similar open redirect vulnerability involving the Content Construction Kit (CCK), a set of modules that allow users to add custom fields to nodes using a web browser.

Advertisement. Scroll to continue reading.

Open redirect attacks are also possible in Drupal 7 because of a bug related to the Overlay module (CVE-2015-3233). This module uses JavaScript to display admin pages in a new layer on top of the current page. The open redirect vulnerability exists because the module doesn’t properly validate URLs before displaying their contents.

An attack leveraging this vulnerability only works if the Overlay module is enabled and the targeted user has the “Access the administrative overlay” permission.

The latest version of Drupal 7 also patches an information disclosure flaw related to the render cache system (CVE-2015-3231). Some Drupal websites use the render cache system to cache content by user role. The problem is that private content viewed by “user 1” (a special account created during installation) might be included in the cache, making it accessible to non-privileged users.

Since the render caching system is not used in the Drupal 7 core, an attack exploiting this bug is only possible if the caching system is enabled either via custom code or the Render Cache module. Furthermore, the vulnerability only affects websites where “user 1” is browsing the live site. The vulnerability is also mitigated if an administrative role is assigned to the “user 1” account, Drupal said.

Some of these issues have been identified by Drupal’s own security team. Vladislav Mladenov, Christian Mainka, Christian Koßmann, Michael Smith and Jeroen Vreuls have also been credited for finding flaws fixed with the release of Drupal 6.36 and 7.38.

Users are advised to update their installations as soon as possible.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.