Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Drupal Security Updates Patch Several Vulnerabilities

The developers of Drupal, the popular open source content management system (CMS), have released versions 6.36 and 7.38 to address multiple vulnerabilities.

These maintenance and security releases address open redirect, information disclosure, and access bypass vulnerabilities.

The developers of Drupal, the popular open source content management system (CMS), have released versions 6.36 and 7.38 to address multiple vulnerabilities.

These maintenance and security releases address open redirect, information disclosure, and access bypass vulnerabilities.

According to an advisory published late on Wednesday, both Drupal 6 and 7 are affected by a critical access bypass flaw (CVE-2015-3234) that allows an attacker to impersonate users and hijack their accounts. The security hole exists in the OpenID module and it can be exploited by a malicious hacker to log in to vulnerable websites as other users, including administrators.

Drupal says the vulnerability can only be exploited against users who have an OpenID account from certain OpenID providers. The list includes Verisign, LiveJournal, StackExchange and others.

Experts have also uncovered two “less critical” open redirect vulnerabilities in Drupal 7. One of these bugs affects the Field UI module and is related to the “destinations” query string parameter used in URLs to redirect users to a new page after they complete an action on certain administration pages.

An attacker can leverage this parameter to create a URL that will redirect users to third party websites. The vulnerability (CVE-2015-3232) can prove highly useful in social engineering attacks. Drupal has pointed out that only sites with the Field UI module enabled are impacted.

Advertisement. Scroll to continue reading.

Drupal 6 is not affected by this particular bug, but it is plagued by a similar open redirect vulnerability involving the Content Construction Kit (CCK), a set of modules that allow users to add custom fields to nodes using a web browser.

Open redirect attacks are also possible in Drupal 7 because of a bug related to the Overlay module (CVE-2015-3233). This module uses JavaScript to display admin pages in a new layer on top of the current page. The open redirect vulnerability exists because the module doesn’t properly validate URLs before displaying their contents.

An attack leveraging this vulnerability only works if the Overlay module is enabled and the targeted user has the “Access the administrative overlay” permission.

The latest version of Drupal 7 also patches an information disclosure flaw related to the render cache system (CVE-2015-3231). Some Drupal websites use the render cache system to cache content by user role. The problem is that private content viewed by “user 1” (a special account created during installation) might be included in the cache, making it accessible to non-privileged users.

Since the render caching system is not used in the Drupal 7 core, an attack exploiting this bug is only possible if the caching system is enabled either via custom code or the Render Cache module. Furthermore, the vulnerability only affects websites where “user 1” is browsing the live site. The vulnerability is also mitigated if an administrative role is assigned to the “user 1” account, Drupal said.

Some of these issues have been identified by Drupal’s own security team. Vladislav Mladenov, Christian Mainka, Christian Koßmann, Michael Smith and Jeroen Vreuls have also been credited for finding flaws fixed with the release of Drupal 6.36 and 7.38.

Users are advised to update their installations as soon as possible.

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.