Last week Drupal warned of two critical vulnerabilities that would allow attackers to overwrite data and inject non-permitted values. These vulnerabilities affect versions 9.2 and 9.3, allowing an attacker to upload malicious files and take control of a site. The threat levels of the two vulnerabilities are classified as Moderately Critical.
Likewise, the United States Cybersecurity and Infrastructure Security Agency (CISA) warned that exploits could lead an attacker to take control of a vulnerable Drupal-based website.
What is Drupal
Drupal is a multipurpose, modular, free content management system with extensive customization capabilities, focused on advanced users. It is also one of the most flexible platforms, being ideal for users with advanced knowledge.
Despite not being as popular as WordPress, it is one of the most complete CMS for large corporate portals. In addition, it is a flexible platform that can be easily integrated with other business solutions.
It is a very practical CMS for public administration, large companies and powerful projects that need a robust, secure and stable platform. Many major entities such as the Smithsonian Institution, Universal Music Group, Pfizer, Johnson & Johnson, Princeton University, and Columbia University use Drupal for their websites.
The two vulnerabilities detected in Drupal
Two vulnerabilities assessed with a moderately critical threat level have been detected:
- Form API – Improper Input Validation
- Drupal Core – Access Bypass
Form API – Improper Input Validation
The first vulnerability detected affects its forms API. The vulnerability is incorrect input validation. This means that what is loaded through the form API is not validated as to whether it is allowed or not.
Validating what is uploaded or entered in a form is a common good practice. In general, input validation is done with an allow list approach where the form expects specific input and will reject anything that does not match the expected input or payload.
When a form fails to validate input, it leaves the website open to file uploads that can trigger unwanted behavior in the web application.
In its release, Drupal reported that “The Core Forms API has a vulnerability where certain custom or contributed module forms may be vulnerable to incorrect input validation. This could allow an attacker to inject illegal values or overwrite data. Affected forms are rare, but in certain cases an attacker could alter critical or sensitive data.”
Drupal Core – Access Bypass
Access bypass is a form of vulnerability where there may be a way to access a part of the site through a path that does not have an access control check. As a result of this, in some cases, a user can gain access to levels for which they do not have permission.
Drupal explained that “Drupal 9.3 implemented a generic entity access API for entity reviews. However, this API was not fully integrated with existing permissions, resulting in a possible bypass of access for users who have access to use content reviews in general, but do not have access to individual media and node elements. ”
Affected versions and updates
The Form API: Improper Input Validation vulnerability affects versions 9.2 and 9.3. The solutions provided are the following:
If you are using Drupal 9.3, please upgrade to Drupal 9.3.12.
If you are using Drupal 9.2, please upgrade to Drupal 9.2.18.
The Drupal Core: Access Bypass vulnerability only affects Drupal version 9.3 and is addressed by upgrading to Drupal 9.3.12.