Connect with us

Hi, what are you looking for?



Drupal Starts Patching Update Process Flaws

The developers of the Drupal content management system (CMS) have started patching the update process vulnerabilities disclosed recently by security firm IOActive.

The developers of the Drupal content management system (CMS) have started patching the update process vulnerabilities disclosed recently by security firm IOActive.

IOActive researcher Fernando Arnaboldi last week reported finding three security issues related to the Drupal update process. The expert discovered that Drupal 7 and 8 erroneously inform users that their installation is up to date if a failure occurs.

Drupal developers have admitted that “this is not ideal and should be corrected,” but they have highlighted that only the “Available updates” page in the admin interface does not correctly warn about failures. The impact of this issue should be limited considering that the Drupal Security Team’s advisories are distributed via multiple channels, including email, RSS, HTML and Twitter.

The second vulnerability identified by Arnaboldi is a cross-site request forgery (CSRF) in the “Check manually” feature that can be exploited to force an administrator to check for updates. The flaw can also be leveraged to use a large amount of resources from via a server-side request forgery (SSRF) attack.

The IOActive researcher also discovered that Drupal security updates are transferred unencrypted and their authenticity is not checked. This flaw, which has been known since 2012, allows a man-in-the-middle (MitM) attacker to intercept the connection and serve a backdoored version of Drupal or a Drupal module. A malicious hacker could exploit this to compromise the targeted website.

Drupal developers have pointed out that while the CSRF vulnerability could pose a serious risk, the weakness is only of value to an attacker that is capable of intercepting traffic or poisoning DNS. As for consuming resources, it would not be easy for an attacker to cause significant damage considering that there are millions of websites making multiple requests each day to Furthermore, Drupal has pointed out that the update service is cached and placed behind a content delivery network (CDN).

The fact that security updates are downloaded unencrypted can also be exploited only by an attacker with a privileged position on the network or who can perform DNS poisoning, Drupal said.

Advertisement. Scroll to continue reading.

Drupal is in the process of fixing the CSRF and update status vulnerabilities. As for the unencrypted file transfer issue, the developer says it’s in the process of switching infrastructure and update processes to use secure channels. Download channels not using SSL have been identified and fixes have been rolled out for some of them.

“We have switched the most common download methods to use https by default and are working to add SSL to anonymous downloads via version control (git). The next step is to release an updated Drupal core,” Drupal developers said.

Until all download channels are secured, users can obtain code over SSL by manually downloading release archives from their project pages.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.