All Drupal Versions Susceptible to Code Execution, Credential Theft Vulnerabilities

A number of issues exist in the content management system Drupal that could lead to code execution and the theft of database credentials via a man-in-the-middle attack, a researcher warns.

A number of issues exist in the content management system Drupal that could lead to code execution and the theft of database credentials via a man-in-the-middle attack, a researcher warns.

The vulnerabilities lie in the way Drupal processes updates, according to Fernando Arnaboldi, senior security consultant with IOActive. Arnaboldi wrote a blog entry describing three of the issues, including one that has existed in the wild in some shape or form for years, and two which are being disclosed for the first time this week.

The issue that’s lingered the longest Arnaboldi claims is that Drupal’s updates aren’t encrypted when they’re transferred, nor does the CMS verify the authenticity of the updates when they come across.

To exploit the vulnerability an attacker would have to be on the same network and carry out a man-in-the-middle attack, Arnaboldi writes.

The update process involves Drupal downloading a plaintext version of a XML file, but Arnaboldi points out the XML file could point to a backdoored version of Drupal, or a version from an untrusted server. In his proof of concept, the Arnaboldi names an update “7.41 Backdoored,” and it’s downloaded. After the update process is started, and the attacker runs a module, they could theoretically retrieve the Drupal database password and execute code.

As there’s no fix available, Arnaboldi is encouraging those who use the software to manually download updates for it, and its add-ons, to stay safe.

One of the newer issues isn’t exactly a vulnerability, but does seem like something that could wind up giving users a false sense of security. The last two versions of the CMS, including the latest one, released in November, fail to notify users when they encounter a network problem during the update process. Instead of giving a warning message, it simply tells users “All your projects are up to date.”

Users can check for updates however, thanks to a “Check Manually” link, and that’s where the third issue comes into play.

According to Arnaboldi, an attacker could use the same static link in a cross-site request forgery attack, or further leverage the vulnerability on Drupal builds that predate Drupal 8 to carry out a server-side request forgery attack.

“Administrators may unwillingly be forcing their servers to request unlimited amounts of information from to consume network bandwidth,” Arnaboldi wrote.

Arnaboldi told Threatpost Wednesday that older sites running Drupal could also fall victim to a denial of service attack through more or less the same means, if the downstream network bandwidth of a website is lower than the upstream network bandwidth of

Arnaboldi acknowledged that IOActive had a private discussion with Drupal’s security team about the issues and eventually agreed to keep a thread discussing the encryption issue public on That thread’s existed since April 2012 and was reopened after Arnaboldi reached out to Drupal last November.

Officials with Drupal did not respond to inquiries on Wednesday. Arnaboldi claims the company didn’t have any objections to IOActive publishing any of the issues, even the more concerning CSRF vulnerability.

“The CSRF vulnerability was a more sensitive issue, because some of the members of the security team were concerned about the implications for in case this were to be exploited in the wild,” Arnaboldi said, “CSRF vulnerabilities are always tricky to be properly solved, but they have already multiple CSRF protections in place for Drupal, so probably this was not a new topic for them.”

The researcher told Threatpost that it doesn’t look like Drupal has any short term plans for fixing the issues, and was surprised some of the issues weren’t addressed previously.

“I originally thought that some of these issues were going to be solved before releasing Drupal 8, but it was not the case,” Arnaboldi said.

Attackers targeting update mechanisms is not out of the ordinary.

Researchers this past summer discovered that the update process for some LG apps fail to verify that the security certificate presented are legitimate, something that opened some devices made by the comapny up to man-in-the-middle attacks.

Last year researchers also with IOActive ferreted out a few vulnerabilities in the way Lenovo handles updates on its PCs. An attacker could bypass signature validation and switch the executable thats downloaded by Lenovo System Update. As a result attackers could create a bogus CA and use it to create a code-signing certificate that could then be used to sign executables.

Suggested articles


  • Anon on

    > That thread’s existed since April 2012 and was reopened after Arnaboldi reached out to Drupal last November. The thread was and remained open since April 2012.
  • Mike Herchel on

    This is a feature of Drupal that is rarely if ever used (and probably should be removed from core). This only can potentially affect installs that do not use version control, and do not do local development (both which are general use cases and best practices).
  • Dennis M Dewey on

    No one in their right mind (read "professionals") updates using that particular process anyway. They'll update via a local dev machine behind a VPN and push the code to production using Git. This is really a non-issue. If I have someone intercepting my transactions on a network, I have bigger problems to worry about. Just be sure to warn your users that you really shouldn't use that "FREE Public WIFI" at the airport.
  • Kees on

    LG phones are not webservers. webservers are not near as likely to be prone to network intrusions as portable wifi enabled devices. And if they are, youre in DEEP SHIT anyway. So, can this be improved for novice/small scale Drupal users? yes. Is this a problem in practice? nope.
  • Cameron Tod on

    Jeff Geerling has described how much of an edge case this vector is here: The issue is being tracked here:
  • David Rothstein on

    Here is a post from the Drupal Security Team (who do not seem to have been contacted for this article) regarding these issues: Note, however, that some of the previous comments (which suggest that only sites which update using Drupal's built-in update interface can be affected by this) are also incorrect.
  • Dennis Dewey on

    Actually I do believe that the Drupal security team has been made aware of this specific article otherwise they probably would not have been patching Drush 7.x+ on January 8th. It could be a coincidence but they are usually pretty responsive when it comes to closing known security holes that they've been able to reproduce. They've also been sidelined by Drupal 8 development but I don't doubt they take these matters lightly. I did not mean to sound snarky in my previous comment. I genuinely take security of my Drupal sites very seriously and, even though this particular scenario seems highly improbable of being a major concern for me given my current situation, I still researched it further and have concluded that it is a possible attack vector that needs to be addressed as soon as possible. I think the Drupal team is looking at revamping the way their update module works. Now that Drupal 8 has finally been released, they can devote more resources towards this vulnerability. I'm just wondering if the update module can be triggered anonymously without having the token url. I also wonder if this has been something that has been exploited for the past several years by attackers. You can't just assume that the Drupal security team is negligent for not acting. Hell - look how long the heartbleed OpenSSL vulnerability was in the wild. Unfortunately some of the drawbacks to open source is too few resources devoted to security and security alone. However I'd much rather work on Drupal than any of the alternatives and I'm not going to let something like this cause me to move on to something else. I've devoted way too much resources to even think about cutting my losses just yet.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.