Pierluigi Paganini April 19, 2017

A critical vulnerability affects the Drupal References module that is used by hundreds of thousands of websites using the popular CMS.

The Drupal security team has discovered a critical vulnerability in a third-party module named References.

The Drupal team published a Security advisory on April 12 informing its users of the critical flaw.

The flaw has a huge impact on the Drupal community because the affected module is currently used by more than 121,000 websites.

“The module is currently used by over 120 000 individual Drupal installations, but is no longer maintained. The last update was done in February 2013. Unfortunately, a critical security vulnerability in this references module has been reported by the Drupal core security team as SA-CONTRIB-2017-38:

Please note, the security team will not release information on this vulnerability for up to a month, the recommendation is to migrate. Emails asking for details on the vulnerability will not be responded to. If you would like to maintain the module, please follow the directions below.

” states Drupal.

The References module allows users to add references between nodes for more complex information architectures.

The module was initially flagged by the Drupal development team as unsupported, its last update was provided in February 2013.

The good news for References users is that, on April 14, the Drupal security team announced it was assigned to a new maintainer.

“2017-04-14 – A potential new maintainer is working through the process of fixing the References module. When this is complete a new release will be published and this SA will be updated.” reads the advisory.

A few days later, on April 18 the problem has been fixed with the release of references 7.x-2.2.

The Drupal security team did not disclose the technical details about the vulnerability in order to avoid the exploitation of the flaw in the wild. Unfortunately, it will very difficult to upgrade websites heavily using the Reference module.

“With a critical issue in an unsupported module so widely used, it is almost guaranteed that a large number of sites will be subject to attacks using this as a vector.” states Drupal. “Given the tradition of Drupal doing big backward breaks with regards to compatibility, some sites might be difficult to upgrade. Upgrading an enterprise site heavily using References may simply be impossible and hopefully drive the module to be maintained by a corporate entity.”

Drupal will release information on the critical vulnerability in the next few weeks.

Security experts believe threat actors could find the vulnerability by analyzing the source code of the module and could develop and exploit.

Drupal CMS is a privileged target for hackers that try to exploit vulnerabilities in the out-dated plugin.

In June 2016, security experts warned of the Drupalgeddon attacks against Drupal websites, more than 19 months after the public disclosure of the CVE-2014-3704.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Drupal References Module, hacking)

[adrotate banner=”13″]