Drupal is urging users to upgrade to the latest release that fixes two critical remote code execution bugs impacting Drupal 7 and Drupal 8. Developers have also identified three additional “moderately critical” vulnerabilities.
“A remote attacker could exploit some of these vulnerabilities to take control of an affected system,” according to a security bulletin posted by the United States Computer Emergency Readiness Team (US CERT).
The critical bugs, disclosed this week, include an injection vulnerability in the default Drupal mail backend, which uses PHP’s mail function [DefaultMailSystem::mail()] in Drupal 7 and 8.
One of the critical vulnerabilities is tied to the “DefaultMailSystem::mail()” component in Drupal 7 and 8. According to the advisory, when using this default mail system to send emails, some variables were not being sanitized for shell arguments, according to a separate advisory released by the Drupal developer community. When untrusted input is not sanitized correctly that could lead to remote code execution.
This glitch was reported by security researcher and senior web developer Damien Tournoud with Princeton University.
A second remote code execution bug, reported by Nick Booher, exists in Drupal 9’s Contextual Links module. In Drupal, these modules supply contextual links that allow privileged users to quickly perform tasks related to regions of the page – without having to navigating to the Admin Dashboard.
However, the Contextual Links module doesn’t sufficiently validate the requested contextual links. That means that an attacker could launch a remote code execution attack in these links.
One upside is that an attacker would need certain existing permissions: “this vulnerability is mitigated by the fact that an attacker must have a role with the permission ‘access contextual links,'” Drupal said.
Drupal also acknowledged three other “moderately critical” bugs in its advisory.
The first is an access bypass bug in the content moderation tool in Drupal 8. Essentially, in some conditions, content moderation fails to check a users’ access to use certain transitions – potentially allowing access bypass.
Another open redirect vulnerability in Drupal 7 and 8 allows and external URL injection through URL aliases.
The path module allows users with the ‘administer paths’ to create pretty URLs for content – and that means that “In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url,” Drupal said.
The issue is mitigated by the fact that the user needs the administer paths permission to exploit, Drupal said.
Finally, a “moderately critical” bug in Drupal’s redirect process allows bad actors to trick users to visiting third party websites.
According to Drupal, Drupal core and contributed modules frequently use a “destination” query string parameter in URLs to redirect users to a new destination after completing an action on the current page.
“Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks,” said Drupal.
All bugs were fixed, and Drupal advised users to upgrade to the most recent version of Drupal 7 or 8 core.
“Minor versions of Drupal 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2019,” the company said.
Drupal has had a run through the mill when it comes to vulnerabilities this year, in particular dealing with a flaw (CVE-2018-7600) in March impacting versions 6,7, and 8 of Drupal’s CMS platform, which impacted over one million sites running Drupal.