Drupal Warns of Multiple Critical Vulnerabilities via @sejournal, @martinibuster

Drupal published a security advisory warning of multiple critical vulnerabilities The post Drupal Warns of Multiple Critical Vulnerabilities appeared first on Search Engine Journal.

Drupal Warns of Multiple Critical Vulnerabilities via @sejournal, @martinibuster

Drupal issued a security advisory of four critical vulnerabilities rated from moderately critical to critical. The vulnerabilities affect Drupal versions 9.3 and 9.4.

The security advisory warned that the various vulnerabilities could allow an hacker to execute arbitrary code, putting a site and server at risk.

These vulnerabilities do not affect Drupal version 7.

Additionally, any versions of Drupal prior to 9.3.x have reached End of Life status, which means that they are no longer receiving security updates, making them risky to use.

Critical Vulnerability: Arbitrary PHP Code Execution

An arbitrary PHP code execution vulnerability is one in which an attacker is able to execute arbitrary commands on a server.

The vulnerability unintentionally arose due to two security features that are supposed to block uploads of dangerous files but failed because they didn’t function well together, resulting in the current critical vulnerability which can result in a remote code execution.

According to Drupal:

“…the protections for these two vulnerabilities previously did not work correctly together.

As a result, if the site were configured to allow the upload of files with an htaccess extension, these files’ filenames would not be properly sanitized.

This could allow bypassing the protections provided by Drupal core’s default .htaccess files and possible remote code execution on Apache web servers.”

A remote code execution is when an attacker is able to run a malicious file and take over a website or the entire server. In this particular instance the attacker is able to attack the web server itself when running the Apache web server software.

Apache is an open source web server software upon which everything else like PHP and WordPress run. It’s essentially the software part of the server itself.

Access Bypass Vulnerability

This vulnerability, rated as moderately Critical, allows an attacker to alter data that they’re not supposed to have access to.

According to the security advisory:

“Under certain circumstances, the Drupal core form API evaluates form element access incorrectly.

…No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.”

Multiple Vulnerabilities

Drupal published a total of four security advisories:

Drupal core – Critical – Arbitrary PHP code execution – SA-CORE-2022-014 Drupal core – Moderately critical – Multiple vulnerabilities – SA-CORE-2022-015 Drupal core – Moderately critical – Access Bypass – SA-CORE-2022-013 Drupal core – Moderately critical – Information Disclosure – SA-CORE-2022-012

This advisory warns of multiple vulnerabilities affecting Drupal that can expose a site to different kinds of attacks and outcomes.

These are some of the potential issues:

Arbitrary PHP code execution Cross-site scripting Leaked cookies Access Bypass vulnerability Unauthorized data access Information disclosure vulnerability

Updating Drupal Recommended

The security advisory from Drupal recommended immediately updating versions 9.3 and 9.4.

Users of Drupal version 9.3 should upgrade to version 9.3.19.

Users of Drupal version 9.4 should upgrade to version 9.4.3.

Citation

Drupal Core Security Advisories

Drupal core – Critical – Arbitrary PHP code execution

Featured image by Shutterstock/solarseven