Tech

Drupal patches 10 security flaws, critical issues

The content management system's latest security update includes fixes for issues including remote code execution.

Written by Charlie Osborne, Contributing Writer Feb. 26, 2016 at 3:34 a.m. PT

Drupal has released its February patch update with fixes for 10 vulnerabilities, including several which allow attackers to execute code remotely and access website elements which should be blocked.

In security advisory SA-CORE-2016-001, Drupal said on Wednesday the latest update contains a total of 10 fixes, of which one is deemed critical, while six are considered "moderately" critical problems.

The most critical issue fixed in this update is a flaw which allows code injection when a user is meant to have restricted access. This could allow an attacker, for example, to use JavaScript for form button elements to exploit the access bypass vulnerability in order to inject code into the CMS system.

The vulnerability has been mitigated as with the latest update, attackers must now "have access to submit a form that has such buttons defined for it."

In addition, Drupal developers have fixed a vulnerability within the File module which allowed attackers to view, delete or switch file links that a victim has uploaded to a form, as long as the form submission has not yet been processed. However, an attacker does require permission to create content or comment and upload files through the CMS.

"If an attacker carries out this attack continuously, all file uploads to a site could be blocked by deleting all temporary files before they can be saved," Drupal says.

Drupal has also fixed a flaw in the XML-RPC system which allows brute force amplification attacks -- such as password discovery by submitting multiple options at once -- and an open redirect problem which allows a current path to be changed to an external URL.

Other issues which have also been resolved include a HTTP header injection exploit using line breaks, an open redirect vulnerability through a double-encoded 'destination' parameter, a security flaw which could allow attackers to trick victims into downloading files with arbitrary code, and a strange bug which occurs when a user account is saved -- one which, on occasion, grants that user full privileges.

In addition, the Drupal team has also patched two less severe problems. One allows users to log in through their email address instead of their username and consequentially this links a username to an email account, potentially leading to information disclosure. The second issue, found on older versions of PHP, unserializes user-generated data in a Drupal session.

Security

While this vulnerability is dangerous as it could lead to remote code execution, Drupal says an "unusual set of circumstances" are required to exploit the issue, and is also mitigated by users of PHP 5.4.45, 5.5.29, 5.6.13 and higher.

CVE identifiers have been requested but have not been assigned at the time of writing.

The security flaws impact on Drupal core 6.x versions prior to 6.38, Drupal core 7.x versions prior to 7.43 and Drupal core 8.0.x versions prior to 8.0.4.

Therefore, in order to protect yourself from these security problems, Drupal v.6x users should upgrade to Drupal core 6.38, users of 7.x should upgrade to Drupal core 7.43, and if you use Drupal 8.0.x, you need to download and install Drupal core 8.0.4.

It is important to note that users of Drupal version 6 will not receive any further security updates, as the build has now reached the end of its life.