Developers at Drupal addressed 10 vulnerabilities in the content management system this week, including a critical access bypass issue that could have let users access certain elements thought to be blocked, and another issue that could lead to remote code execution.
Through the critical access bypass vulnerability, the lone fix marked critical, a user could’ve submitted their own input via JavaScript for form button elements, Drupal’s advisory, SA-CORE-2016-001, reads. The issue’s been remedied by ensuring that an “attacker must have access to submit a form that has such buttons defined for it.”
The rest of the fixes run the gamut from moderately critical to less.
It’d take some work, but for through one of the moderately critical vulnerabilities, if an attacker exploited both a file upload access bypass issue and a denial of service issue in Drupal 7 and 8 they could have blocked file uploads by deleting temporary files before they’ve been saved.
Elsewhere an issue with the XML-RPC server was fixed that could’ve let an attacker carry out a series of brute force amplification attacks.
The updates also fix a handful of open redirect vulnerabilities that could have been spurred by path manipulation, a problem with a function in the CMS’ base system that could trigger an HTTP header injection attack, and a reflected file download vulnerability in the CMS’ system module.
The less critical fixes address a problem with unserialized user data in Drupal sessions and a problem with Drupal’s user_save() API. The unserialized user data issue, despite being marked less critical, could still lead to possible remote code execution, according Drupal’s advisory. The issue is difficult to replicate; it “requires an unusual set of circumstances to exploit and depends on the particular Drupal code that is running on the site.” Still though, since it largely stems from older versions of PHP, the problem also can be fixed by upgrading to either PHP 5.4.45, 5.5.29, 5.6.13.
Lastly, an information disclosure vulnerability in Drupal 7 and 8 that could accidentally disclose usernames associated with email addresses was also fixed.
Depending on what build users are running, the fixes pushed out on Wednesday graduate Drupal 6.x to 6.38, 7.x to 7.43, and 8.0.x to 8.0.4.
The update, which includes several fixes for users running Drupal 6, will be the last those users will receive. Drupal’s Security Team, who posted about the fixes last night, also took the time to remind users that with the release the build has reached its end of life and will not get any further updates.