Drupal Security Updates Patch Several Vulnerabilities

The developers of Drupal, the popular open source content management system (CMS), have released versions 6.36 and 7.38 to address multiple vulnerabilities.

These maintenance and security releases address open redirect, information disclosure, and access bypass vulnerabilities.

According to an advisory published late on Wednesday, both Drupal 6 and 7 are affected by a critical access bypass flaw (CVE-2015-3234) that allows an attacker to impersonate users and hijack their accounts. The security hole exists in the OpenID module and it can be exploited by a malicious hacker to log in to vulnerable websites as other users, including administrators.

Drupal says the vulnerability can only be exploited against users who have an OpenID account from certain OpenID providers. The list includes Verisign, LiveJournal, StackExchange and others.

Experts have also uncovered two “less critical” open redirect vulnerabilities in Drupal 7. One of these bugs affects the Field UI module and is related to the “destinations” query string parameter used in URLs to redirect users to a new page after they complete an action on certain administration pages.

An attacker can leverage this parameter to create a URL that will redirect users to third party websites. The vulnerability (CVE-2015-3232) can prove highly useful in social engineering attacks. Drupal has pointed out that only sites with the Field UI module enabled are impacted.

Drupal 6 is not affected by this particular bug, but it is plagued by a similar open redirect vulnerability involving the Content Construction Kit (CCK), a set of modules that allow users to add custom fields to nodes using a web browser.

Open redirect attacks are also possible in Drupal 7 because of a bug related to the Overlay module (CVE-2015-3233). This module uses JavaScript to display admin pages in a new layer on top of the current page. The open redirect vulnerability exists because the module doesn’t properly validate URLs before displaying their contents.

An attack leveraging this vulnerability only works if the Overlay module is enabled and the targeted user has the “Access the administrative overlay” permission.

The latest version of Drupal 7 also patches an information disclosure flaw related to the render cache system (CVE-2015-3231). Some Drupal websites use the render cache system to cache content by user role. The problem is that private content viewed by “user 1” (a special account created during installation) might be included in the cache, making it accessible to non-privileged users.

Since the render caching system is not used in the Drupal 7 core, an attack exploiting this bug is only possible if the caching system is enabled either via custom code or the Render Cache module. Furthermore, the vulnerability only affects websites where “user 1” is browsing the live site. The vulnerability is also mitigated if an administrative role is assigned to the “user 1” account, Drupal said.

Some of these issues have been identified by Drupal’s own security team. Vladislav Mladenov, Christian Mainka, Christian Koßmann, Michael Smith and Jeroen Vreuls have also been credited for finding flaws fixed with the release of Drupal 6.36 and 7.38.

Users are advised to update their installations as soon as possible.