Pierluigi Paganini June 22, 2017

Drupal team released security updates to fix several vulnerabilities, including the critical access bypass flaw CVE-2017-6922 exploited in spam campaigns.

The Drupal development team has released security updates to fix several vulnerabilities, including the critical access bypass flaw tracked as CVE-2017-6922 that has been exploited in spam campaigns.

The CVE-2017-6922 flaw was fixed with the release of Drupal versions 7.56 and 8.3.4.

Drupal Security Team was observing a trend of attacks utilizing a site misconfiguration affecting all websites that allow file uploads by non-trusted or anonymous visitors, and stores the uploaded files in a public file system.

The files uploaded by the users are publicly accessible allowing anyone on the internet to access them. The site could be used by an attacker to host content that the legitimate site maintainers would not want made publicly available through their site.

“The majority of the reports are based around the webform module, however, other modules are vulnerable to this misconfiguration as well.” states the security advisory.

“For example, if a webform configured to allow anonymous visitors to upload an image into the public file system, that image would then be accessible by anyone on the internet. The site could be used by an attacker to host images and other files that the legitimate site maintainers would not want made publicly available through their site.”

Drupal is aware of attacks in the wild exploiting the flaw since October 2016, the new releases will not prevent such kind of abuses.

Drupal 8.3.4 also fixed a critical flaw, tracked as CVE-2017-6920, related to how the PECL YAML parser handles unsafe objects, the flaw could be exploited by an attacker for remote code execution.

Drupal also fixed in Drupal 8 is the improper field validation vulnerability tracked as CVE-2017-6921.

“A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource,” reads the advisory.

In April 2017, security experts discovered a critical vulnerability that affects the Drupal References module that is used by hundreds of thousands of websites using the popular CMS.

The Drupal team published a Security advisory on April 12 informing its users of the critical flaw.

The flaw has a huge impact on the Drupal community because the affected module is currently used by more than 121,000 websites.

“The module is currently used by over 120 000 individual Drupal installations, but is no longer maintained. The last update was done in February 2013. Unfortunately, a critical security vulnerability in this references module has been reported by the Drupal core security team as SA-CONTRIB-2017-38:

The module had no longer been supported, fortunately, a new maintainer addressed the flaw.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CVE-2017-6922, hacking)

[adrotate banner=”13″]