Drupal warns of several critical vulnerabilities

Drupal has issued a security advisory for four critical vulnerabilities rated moderately critical to critical. The vulnerabilities affect Drupal versions 9.3 and 9.4.

The security advisory warned that the various vulnerabilities could allow an attacker to execute arbitrary code, putting a site and a server at risk.

These vulnerabilities do not affect version 7 of Drupal.

Additionally, all versions of Drupal prior to 9.3.x have reached end-of-life status, meaning they no longer receive security updates, making them risky to use.

Critical vulnerability: arbitrary execution of PHP code

An arbitrary PHP code execution vulnerability is a vulnerability in which an attacker is able to execute arbitrary commands on a server.

The vulnerability arose unintentionally due to two security features that were supposed to block dangerous file downloads, but failed because they didn’t work well together, resulting in the current critical vulnerability that can lead to remote code execution.

According to Drupal:

“…the protections against these two vulnerabilities did not work properly together before.

Therefore, if the site was configured to allow uploading of files with an htaccess extension, the filenames of those files would not be correctly filtered.

This could bypass the protections provided by default Drupal core .htaccess files and possible remote code execution on Apache web servers.

A remote code execution occurs when an attacker is able to execute a malicious file and take control of a website or the entire server. In this particular case, the attacker is able to attack the web server itself while running the Apache web server software.

Apache is open source web server software on which everything else, like PHP and WordPress, runs. It is basically the software part of the server itself.

Access Bypass Vulnerability

This vulnerability, classified as moderately critical, allows an attacker to modify data to which he is not supposed to have access.

According to the security advisory:

“Under certain circumstances, Drupal’s main form API incorrectly evaluates access to form elements.

…No form provided by the core Drupal is known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.

Multiple vulnerabilities

Drupal has released a total of four security advisories:

This advisory warns of multiple vulnerabilities affecting Drupal that can expose a site to different types of attacks and results.

Here are some of the potential issues:

  • Arbitrary execution of PHP code
  • Cross-site scripting
  • Leaked Cookies
  • Access Bypass Vulnerability
  • Unauthorized access to data
  • Information Disclosure Vulnerability

Recommended Drupal Update

Drupal’s security advisory recommended updating to 9.3 and 9.4 immediately.

Drupal version 9.3 users should upgrade to 9.3.19.

Drupal version 9.4 users should upgrade to 9.4.3.


Drupal Core Security Advisory

Drupal Core – Review – Execution of Arbitrary PHP Code

Featured image by Shutterstock/solarseven

Comments are closed.