Patch now to remedy CSRF and remote code execution bugs
UPDATED Drupal has fixed a pair of critical vulnerabilities in the widely used open source content management system.
First up is a cross-site request forgery (CSRF) vulnerability (SA-CORE-2020-004) that means the Drupal core Form API fails to properly handle certain form input from cross-site requests.
The bug was identified by Samuel Mortenson of the Drupal Security Team and Dor Tumarkin, an application security team leader at Checkmarx.
If left unresolved, the security flaw could have allowed attackers to insert malicious code into an authenticated user’s Drupal page, according to Checkmarx, which has documented its discovery in a technical blog post.
“Achieved via cross-site scripting (XSS) and document object model (DOM) manipulation, the discovered API exploit was proven to affect both the latest version of Drupal (9.0), and previous versions,” the security firm added.
The critical vulnerability is resolved in Drupal 7.72, Drupal 8.8.8, Drupal 8.9.1, and Drupal 9.0.1, respectively.
The same set of updates also address a separate critical vulnerability (SA-CORE-2020-005) involving an arbitrary PHP code execution risk.
“An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system,” an advisory from the Drupal core development team explains.
“With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.”
Security researchers Lorenzo Grespan and Sam Thomas of Pentest are credited with discovering the PHP flaw.
Both critical updates were released on Wednesday alongside a less serious access bypass flaw (SA-CORE-2020-006).
On July 3, Pentest researchers published a detailed write-up of their findings.