Drupal calls on users to patch critical remote code execution vulnerabilities

Drupal users should update their systems immediately.

Drupal has urged users to update their CMS to protect websites from critical security holes which could lead to hijacking and remote code execution.

zdnet-drupal-security-updates.jpg

The Drupal content management system (CMS) powers at least one million websites, and comes after Wordpress and Joomla in popularity. However, the CMS is popular with business users thanks to e-commerce functionality, and approximately nine percent of the world's top 10,000 websites run the Drupal system.

On Wednesday, Drupal's security team revealed that a "critical" remote code execution vulnerabilities have left at least 13,000 websites at risk due to the use of specific, vulnerable modules.

CVE identifiers have been requested.

"The modules contains a remote code execution which could allow an attacker to completely take over the site using some specially crafted requests," Drupal's security team says. "The weakness could be exploited to take a variety of actions on the site, potentially including completely taking over the site and server."

To make matters worse, any visitor on a vulnerable domain hosting these modules can exploit the issue to hijack a website.

An affected module is the RESTWS tool, used to create REST APIs and currently installed on over 5,800 websites. If the flaw is exploited through this module, attackers can execute arbitrary PHP code. The issue was discovered by security expert Devin Zuczek.

Another module impacted by the bug is the Coder module, used for code analysis on almost 5,000 Drupal domains. Reported by Nicky Bloor, the "highly critical" flaw is caused by a lack of validation in .php script user input, leading to remote code execution. The module does not need to be enabled for exploit.

The final module which places Drupal domains at risk is the Webform Multiple File Upload system. Discovered by Ben Dougherty of the Drupal Security Team, the "critical" bug allows attackers to potentially execute remote code depending on which libraries are available on the domain. However, the issue is mitigated as an attacker must have the ability to submit a Webform with a Multiple File Input field.

The vulnerabilities are fixed in the latest release, and users are asked to update their websites immediately.

In February, Drupal issued an update which fixed 10 serious bugs in the CMS, some of which also had the potential to result in remote code execution and website hijacking.