ARTICLE AD BOX
Drupal issued a information advisory of 4 captious vulnerabilities rated from moderately captious to critical. The vulnerabilities impact Drupal versions 9.3 and 9.4.
The information advisory warned that the assorted vulnerabilities could let an hacker to execute arbitrary code, putting a tract and server astatine risk.
These vulnerabilities bash not impact Drupal mentation 7.
Additionally, immoderate versions of Drupal anterior to 9.3.x person reached End of Life status, which means that they are nary longer receiving information updates, making them risky to use.
Critical Vulnerability: Arbitrary PHP Code Execution
An arbitrary PHP codification execution vulnerability is 1 successful which an attacker is capable to execute arbitrary commands connected a server.
The vulnerability unintentionally arose owed to 2 information features that are expected to artifact uploads of unsafe files but failed due to the fact that they didn’t relation good together, resulting successful the existent captious vulnerability which tin effect successful a distant codification execution.
“…the protections for these 2 vulnerabilities antecedently did not enactment correctly together.
As a result, if the tract were configured to let the upload of files with an htaccess extension, these files’ filenames would not beryllium decently sanitized.
This could let bypassing the protections provided by Drupal core’s default .htaccess files and imaginable distant codification execution connected Apache web servers.”
A distant codification execution is erstwhile an attacker is capable to tally a malicious record and instrumentality implicit a website oregon the full server. In this peculiar lawsuit the attacker is capable to onslaught the web server itself erstwhile moving the Apache web server software.
Apache is an unfastened root web server bundle upon which everything other similar PHP and WordPress run. It’s fundamentally the bundle portion of the server itself.
Access Bypass Vulnerability
This vulnerability, rated arsenic moderately Critical, allows an attacker to change information that they’re not expected to person entree to.
According to the information advisory:
“Under definite circumstances, the Drupal halfway signifier API evaluates signifier constituent entree incorrectly.
…No forms provided by Drupal halfway are known to beryllium vulnerable. However, forms added done contributed oregon customized modules oregon themes whitethorn beryllium affected.”
Multiple Vulnerabilities
Drupal published a full of 4 information advisories:
- Drupal halfway – Critical – Arbitrary PHP codification execution – SA-CORE-2022-014
- Drupal halfway – Moderately captious – Multiple vulnerabilities – SA-CORE-2022-015
- Drupal halfway – Moderately captious – Access Bypass – SA-CORE-2022-013
- Drupal halfway – Moderately captious – Information Disclosure – SA-CORE-2022-012
This advisory warns of aggregate vulnerabilities affecting Drupal that tin exposure a tract to antithetic kinds of attacks and outcomes.
These are immoderate of the imaginable issues:
- Arbitrary PHP codification execution
- Cross-site scripting
- Leaked cookies
- Access Bypass vulnerability
- Unauthorized information access
- Information disclosure vulnerability
Updating Drupal Recommended
The information advisory from Drupal recommended instantly updating versions 9.3 and 9.4.
Users of Drupal mentation 9.3 should upgrade to mentation 9.3.19.
Users of Drupal mentation 9.4 should upgrade to mentation 9.4.3.
Citation
Drupal Core Security Advisories
Drupal halfway – Critical – Arbitrary PHP codification execution
Featured representation by Shutterstock/solarseven
English (US)