Drupal releases security updates to fix four vulnerabilities in versions 7, 8

Drupal developers have released updates for versions 7 and 8 that fix security issues which could expose websites to cyber attacks.

The Drupal development team has released security updates for versions 7 and 8. The updates fix security vulnerabilities that could expose websites running on the popular CMS and data they manage to security risks, including information disclosure, cache poisoning, redirection to third-party sites and a denial-of-service (DoS).

The new releases, Drupal 7.52 and Drupal 8.2.3, fix four vulnerabilities rated “moderately critical” and “less critical.”

• Inconsistent name for term access query (Less critical – Drupal 7 and 8).
• Incorrect cache context on password reset page (Less critical – Drupal 8).
• Confirmation forms allow external URLs to be injected (Moderately critical – Drupal 7).
• Denial of service via transliterate mechanism (Moderately critical – Drupal 8).

In one attack scenario, ill-intentioned could cause a DoS condition by simply sending specially crafted URLs via the transliteration mechanism that is used to replace certain characters, such as the ones used in Russian and Greek, with universally displayable US-ASCII characters.

“A specially crafted URL can cause a denial of service via the transliterate mechanism.” reads the security advisory.

In the case of the second flaw ranked as “Moderately critical”, under certain circumstances, attackers use a specially crafted URL to a confirmation form that would trick users into being redirected to a 3rd party website after interacting with the form. In this way, the users could be exposed to a wide range of social engineering attacks.

A Less critical flaw resides in the user password reset form that does not specify a proper cache context, a circumstance that which can lead to cache poisoning and unwanted content on the page.

The last “less critical” issue affects both Drupal 7 and 8 is related to inconsistent names for term access queries. The flaw can lead to information on taxonomy terms being disclosed to unprivileged users.

It is very important for websites running on Drupal to apply the security updates to avoid being hacked. In June 2016, experts from Sucuri firm reported that more than 19 months after the public disclosure of the CVE-2014-3704 many websites were still exposed to cyber attacks leveraging the flaw. For this reason, experts called the flaw Drupalgeddon.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – patch management, hacking)