Critical Vulnerabilities in Drupal

  • Post author:
  • Reading time:4 mins read

drupal vulnerabilities

Drupal is a free, open-source software that can easily create and manage many types of Web sites. Drupal also includes a Content Management Platform and a development framework. A set of critical vulnerabilities were present and fixed in Drupal. The most severe of which could allow an attacker to overwrite sensitive files on a target server. Vulnerability Management Tool can resolve these issues. Drupal has also points out that a proof of concept code exists for the vulnerability and is soon incorporation into widespread attacks considering the popularity of Drupal websites. A good Vulnerability Management Software can prevent these attacks.

Highly Critical Vulnerabilities

  • SA-CORE-2019-012 patches multiple highly critical vulnerabilities affecting a third-party library Archive_Tar, used by Drupal in certain configurations. The vendor states that multiple vulnerabilities are possible when Drupal is configured to allow the upload and processing of  .tar, .tar.gz, .bz2 or .tlz files. An attacker can exploit this vulnerability to overwrite sensitive files by uploading maliciously crafted .tar files.

Moderately Critical Vulnerabilities

  • SA-CORE-2019-009 : A flaw exists in install.php which can be used by an unauthenticated attacker to corrupt the cached data, leading to a denial of service condition caused by the impairment of a site until the caches are rebuilt. Drupal suggests blocking access  install.php if it is not required.
  • SA-CORE-2019-010 : Multiple flaws reside in file_save_upload() function, which can allow an attacker with the ability to upload files to bypass security protections by overwriting arbitrary files such as .htaccess. This bug exists because the file_save_upload() function does not strip the leading and trailing dot (‘.’) from filenames.
  • SA-CORE-2019-011 : A flaw in the Media Library module allows attackers with low privileges to gain unauthorized access to sensitive data. This vulnerability arises due to improper restrictions on access to media files in certain configurations.

Affected Products by Drupal vulnerabilities

Drupal versions 7.x before 7.69, 8.7.x before 8.7.11, 8.8.x before 8.8.1

Impact of drupal vulnerabilities

An attacker can upload malicious files to overwrite sensitive files, bypass security restrictions, gain unauthorized access to sensitive data, and cause denial of service conditions.

Solution

Upgrade to Drupal 7.69, 8.7.11, or 8.8.1 or later.

Tags: , , ,