drupal vulnerabilities

There are 4 critical vulnerabilities found in the Drupal content management platform. These vulnerabilities affected on all the Drupal versions prior to 7.38 and 6.36.

1. Impersonation

Affected Module – OpenID Module
Versions – All Drupal 6 and 7
Situation – Critical

A critical vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts.

2. Open Redirect

Affected Module – Field UI Module
Versions – Drupal 7
Situation – Less Critical

The Field UI module uses a “destinations” query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.

3. Open Redirect

Affected Module – Overlay Module
Versions – Drupal 7
Situation – Less Critical

The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.

This vulnerability is mitigated by the fact that it can only be used against site users who have the “Access the administrative overlay” permission, and that the Overlay module must be enabled.

4. Information Disclosure

Affected Module – Render Cache System
Versions – Drupal 7
Situation – Less critical

On sites utilizing Drupal 7’s render cache system to cache content on the site by user role, private content viewed by user 1 may be included in the cache and exposed to non-privileged users.

This vulnerability is mitigated by the fact that render caching is not used in Drupal 7 core itself (it requires custom code or the contributed Render Cache module to enable) and that it only affects sites that have user 1 browsing the live site. Exposure is also limited if an administrative role has been assigned to the user 1 account (which is done, for example, by the Standard install profile that ships with Drupal core).

Versions affected

Drupal core 6.x versions prior to 6.36
Drupal core 7.x versions prior to 7.38

Solution

Install the latest version:

If you use Drupal 6.x, upgrade to Drupal core 6.36
If you use Drupal 7.x, upgrade to Drupal core 7.38

Also see the Drupal core project page.

Tagged with:

Filed under: Announcements

Like this post? Subscribe to my RSS feed and get loads more!