Drupal disclosed two vulnerabilities in versions 9.2 and 9.3 that could allow an attacker to upload malicious files and take control of a site. The two vulnerabilities are rated as Moderately Critical in terms of the threat level.
The US Cybersecurity and Infrastructure Security Agency (CISA) warned that the exploits could allow an attacker to take control of a vulnerable Drupal-based website.
CISA stated:
“Drupal has released security updates to address vulnerabilities affecting Drupal 9.2 and 9.3.
An attacker could exploit these vulnerabilities to take control of an affected system.”
Drupal
Drupal is a well-known open-source content management system that is written in the PHP programming language.
Drupal is used by many major organizations, including the Smithsonian Institution, Universal Music Group, Pfizer, Johnson & Johnson, Princeton University, and Columbia University, for their websites.
Incorrect Input Validation in Form API
The first flaw affects Drupal’s form API. The flaw is due to improper input validation, which means that what is uploaded via the form API is not validated to see if it is allowed or not.
A common best practice is to validate what is uploaded or entered into a form. In general, input validation is performed using an Allow List approach, in which the form expects specific inputs and rejects anything that does not match the expected input or upload.
When a form fails to validate input, the website is vulnerable to file uploads, which can cause unexpected behavior in the web application.
Drupal’s announcement explained the specific issue:
“Drupal core’s form API has a vulnerability where certain contributed or custom modules’ forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.”
Drupal Core – Bypassing Access
Access bypass is a type of vulnerability in which a user may be able to gain access to a part of the site via a path that lacks an access control check, resulting in some cases in a user gaining access to levels for which they do not have permissions.
Drupal’s announcement described the vulnerability:
“Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content.”
Publishers are encouraged to read security advisories and install updates
The US Cybersecurity and Infrastructure Security Agency (CISA) and Drupal both encourage publishers to review the security advisories and update them to the most recent versions.
