Chemical Safety Incidents
Drupal Clears Up Vulnerabilities
Friday, February 26, 2016 @ 03:02 PM gHale
Drupal issued new versions to patch ten vulnerabilities.
The most serious vulnerability the organization is patching is a critical Form API access bypass issue affecting Drupal 6.
An attacker can exploit the flaw to submit input associated with buttons that should end up blocked for non-administrators.
The updates, which have an overall rating of “critical,” also patch a moderately critical file upload access bypass and denial-of-service (DoS) vulnerability affecting Drupal 7 and 8. The flaw, present in the File module, allows an attacker who has permission to create content and upload files to view, delete or replace a link to a file uploaded by the victim. An attacker can leverage the security hole to block all file uploads to a website.
Another moderately critical issue affects Drupal 6 and 7 and it can end up leveraged to brute-force user passwords via the XML-RPC system.
Developers pointed out the vulnerability can only end up exploited if a module that provides an XML-RPC method that is vulnerable to brute-forcing is present. Drupal 6 is vulnerable due to the use of the Blog API module, but there aren’t any such modules in Drupal 7.
Drupal 6, 7 and 8 also suffer from an open redirect vulnerability that can end up leveraged by path manipulation. Developers have also assigned a “moderately critical” rating to a reflected file download flaw in Drupal 6 and 7, and an open redirect protection bypass issue in Drupal 6.
Another Drupal 6 flaw rated “moderately critical” can end up exploited for HTTP header injection attacks when user-generated content containing line breaks passes as a header value on websites running PHP versions prior to 5.1.2.
The flaws patched with the release of Drupal 6.38, 7.43 and 8.0.4 have been identified by several external researchers and members of the Drupal Security Team. Users should update their installations as soon as possible.
This is the last security update released for Drupal 6, which has reached end of life February 24.
Click here to view the advisory.