Upgrade now to protect against RCE and open redirects
UPDATED Drupal users have been urged to upgrade to the most recent version of the platform, which includes fixes for several vulnerabilities.
In security advisory posted yesterday, the open source CMS software giant flagged two critical remote code execution (RCE) flaws, the first of which resulted from some email variables not being sanitized for shell arguments.
Offering additional information on the vulnerability, a Drupal spokesperson told The Daily Swig: “That issue is not possible to exploit with Drupal core even if the attacker is authenticated or has advanced permissions on the site.”
“However, there are some contributed modules on drupal.org that would make it possible to exploit. For those modules, I believe most of them require a registered user or even a user with more advanced permissions (i.e. permissions usually reserved for site admins).
“That said, people do a wide variety of things with Drupal configuration and the Drupal API in site-specific custom modules. That diversity of site uses makes it hard to say for sure there are cases that an anonymous user could achieve RCE.”
Another RCE bug was found in the Contextual Links module, which failed to sufficiently validate certain links. This, however, is mitigated by the fact that an attacker must have permission to access contextual links.
Moving on to a trio of vulnerabilities marked as ‘moderately critical’, Drupal said it has patched an anonymous open redirect flaw, which could enable an attacker to trick users into visiting malicious third-party sites.
This bug was originally discovered by PortSwigger researcher James Kettle, who earlier this year demonstrated how it could be used in a chained web cache poisoning attack.
The latest Drupal release includes a fix for a second open redirect, after it was found that, under certain circumstances, the user could enter a particular path in the path module that triggers a malicious URL.
Finally, the organization has also patched an access bypass flaw in its content moderation module. It was discovered that, in some conditions, the module failed to check a user’s access to use certain transitions.
Users running Drupal 7 have been urged to upgrade to Drupal 7.60.
Those with Drupal 8.6 should head to the Drupal 8.6.2 release page.
This article has been updated to include comments from Drupal.