Advertisement
  1. SEJ
  2.  ⋅ 
  3. Drupal

Drupal Warns of Multiple Critical Vulnerabilities

Multiple vulnerabilities affecting Drupal can lead to remote code execution, cross site scripting, and other critical security issues

Drupal Warns of Multiple Critical Vulnerabilities

Drupal issued a security advisory of four critical vulnerabilities rated from moderately critical to critical. The vulnerabilities affect Drupal versions 9.3 and 9.4.

The security advisory warned that the various vulnerabilities could allow an hacker to execute arbitrary code, putting a site and server at risk.

One of the vulnerabilities affects Drupal version 7 in addition to 9.3 & 9.4 (Information Disclosure vulnerability CVE-2022-25275).

Additionally, any versions of Drupal prior to 9.3.x have reached End of Life status, which means that they are no longer receiving security updates, making them risky to use.

Critical Vulnerability: Arbitrary PHP Code Execution

An arbitrary PHP code execution vulnerability is one in which an attacker is able to execute arbitrary commands on a server.

The vulnerability unintentionally arose due to two security features that are supposed to block uploads of dangerous files but failed because they didn’t function well together, resulting in the current critical vulnerability which can result in a remote code execution.

According to Drupal:

“…the protections for these two vulnerabilities previously did not work correctly together.

As a result, if the site were configured to allow the upload of files with an htaccess extension, these files’ filenames would not be properly sanitized.

This could allow bypassing the protections provided by Drupal core’s default .htaccess files and possible remote code execution on Apache web servers.”

A remote code execution is when an attacker is able to run a malicious file and take over a website or the entire server. In this particular instance the attacker is able to attack the web server itself when running the Apache web server software.

Apache is an open source web server software upon which everything else like PHP and WordPress run. It’s essentially the software part of the server itself.

Access Bypass Vulnerability

This vulnerability, rated as moderately Critical, allows an attacker to alter data that they’re not supposed to have access to.

According to the security advisory:

“Under certain circumstances, the Drupal core form API evaluates form element access incorrectly.

…No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.”

Multiple Vulnerabilities

Drupal published a total of four security advisories:

This advisory warns of multiple vulnerabilities affecting Drupal that can expose a site to different kinds of attacks and outcomes.

These are some of the potential issues:

  • Arbitrary PHP code execution
  • Cross-site scripting
  • Leaked cookies
  • Access Bypass vulnerability
  • Unauthorized data access
  • Information disclosure vulnerability

Updating Drupal Recommended

The security advisory from Drupal recommended immediately updating versions 9.3 and 9.4.

Users of Drupal version 9.3 should upgrade to version 9.3.19.

Users of Drupal version 9.4 should upgrade to version 9.4.3.

Citation

Drupal Core Security Advisories

Drupal core – Critical – Arbitrary PHP code execution

Featured image by Shutterstock/solarseven

Category News Drupal
ADVERTISEMENT
SEJ STAFF Roger Montti Owner - Martinibuster.com at Martinibuster.com

I have 25 years hands-on experience in SEO, evolving along with the search engines by keeping up with the latest ...