The Drupal Security Team fixed a handful of issues in version 7 and 8 of its content management system core engine this week that could have led to cache poisoning, social engineering attacks and a denial of service condition.
Drupal SA-CORE-2016-005 – Moderately Critical Update to Drupal core 7.52 and Drupal core 8.2.3. #security
— Drupal Security (@drupalsecurity) November 16, 2016
According to a security advisory, the update, pushed Wednesday, fixed four vulnerabilities marked “moderately critical.” The vulnerabilities affect Drupal core 7.x versions prior to 7.52 and Drupal core 8.x versions prior to 8.2.3.
One of the more pressing fixes addresses an issue in Drupal 8’s transliteration mechanism. The module provides one-way string transliteration; it also cleans file names during upload. According to the advisory, if an attacker used a specially crafted URL in the module, they could cause a denial of service.
A similar issue existed in Drupal 7’s confirmation forms, according to the advisory.
“Under certain circumstances, malicious users could construct a URL to a confirmation form that would trick users into being redirected to a 3rd party website after interacting with the form, thereby exposing the users to potential social engineering attacks.”
The remaining two bugs were marked less critical by Drupal. One was tied to the fact that Drupal 8’s user password reset form didn’t specify a proper cache context, something which could have caused cache poisoning and unwanted content appearing on a user’s page. Another stemmed from an issue with access query tags in Drupal 7 and 8. That bug could have leaked information on taxonomy terms to unprivileged users.
Users of the CMS are being encouraged to download Drupal core 7.5.2 if they’re using Drupal 7.x, or Drupal core 8.2.3, if they’re using Drupal 8.x.
The fixes are the first since Drupal three critical vulnerabilities in its core engine back in September. Those bugs could have affected how a program executes and allowed for the full export of the system’s configuration report without administrative permission, among other outcomes.