Last week Drupal warned of two critical vulnerabilities that would allow attackers to overwrite data and inject non-permitted values. These vulnerabilities affect versions 9.2 and 9.3, allowing an attacker to upload malicious files and take control of a site. The threat levels of the two vulnerabilities are classified as Moderately Critical.

Likewise, the United States Cybersecurity and Infrastructure Security Agency (CISA) warned that exploits could lead an attacker to take control of a vulnerable Drupal-based website.

 

What is Drupal

Drupal is a multipurpose, modular, free content management system with extensive customization capabilities, focused on advanced users. It is also one of the most flexible platforms, being ideal for users with advanced knowledge.

Despite not being as popular as WordPress, it is one of the most complete CMS for large corporate portals. In addition, it is a flexible platform that can be easily integrated with other business solutions.

It is a very practical CMS for public administration, large companies and powerful projects that need a robust, secure and stable platform. Many major entities such as the Smithsonian Institution, Universal Music Group, Pfizer, Johnson & Johnson, Princeton University, and Columbia University use Drupal for their websites.

 

The two vulnerabilities detected in Drupal

Two vulnerabilities assessed with a moderately critical threat level have been detected:

  • Form API – Improper Input Validation
  • Drupal Core – Access Bypass

Form API – Improper Input Validation

The first vulnerability detected affects its forms API. The vulnerability is incorrect input validation. This means that what is loaded through the form API is not validated as to whether it is allowed or not.

Validating what is uploaded or entered in a form is a common good practice. In general, input validation is done with an allow list approach where the form expects specific input and will reject anything that does not match the expected input or payload.

When a form fails to validate input, it leaves the website open to file uploads that can trigger unwanted behavior in the web application.

In its release, Drupal reported that “The Core Forms API has a vulnerability where certain custom or contributed module forms may be vulnerable to incorrect input validation. This could allow an attacker to inject illegal values ​​or overwrite data. Affected forms are rare, but in certain cases an attacker could alter critical or sensitive data.”

Drupal Core – Access Bypass

Access bypass is a form of vulnerability where there may be a way to access a part of the site through a path that does not have an access control check. As a result of this, in some cases, a user can gain access to levels for which they do not have permission.

Drupal explained that “Drupal 9.3 implemented a generic entity access API for entity reviews. However, this API was not fully integrated with existing permissions, resulting in a possible bypass of access for users who have access to use content reviews in general, but do not have access to individual media and node elements.

 

Affected versions and updates

The Form API: Improper Input Validation vulnerability affects versions 9.2 and 9.3. The solutions provided are the following:

If you are using Drupal 9.3, please upgrade to Drupal 9.3.12.

If you are using Drupal 9.2, please upgrade to Drupal 9.2.18.

The Drupal Core: Access Bypass vulnerability only affects Drupal version 9.3 and is addressed by upgrading to Drupal 9.3.12.

Francesc es el responsable de Content Marketing de Sinapsis. Con más de diez años de dedicación al copywriting ha acumulado una gran experiencia en diversos temas aunque su mayor pasión sigue siendo el marketing online. Friky de corazón, ha encontrado en el SEO una nueva forma de seguir "jugando".