Drupal development team has released important security updates for its widely used open-source content management software that addresses some critical vulnerabilities in its core system.
Drupal-powered websites are usually a favorite target for hackers and so the web administrators are highly recommended to install the latest release Drupal 7.69, 8.7.11, or 8.8.1 to prevent remote hackers from compromising web servers.
There are three “moderately critical” and a critical vulnerability present in Drupal.
Critical Symlinks Vulnerability in Drupal
The only advisory with critical severity includes patches for multiple vulnerabilities in a third-party library, called ‘Archive_Tar,’ that Drupal Core uses for creating, listing, extracting and adding files to tar archives.
The vulnerability resides in the way the affected library untar archives with symlinks, which when exploited, could permit an attacker to overwrite sensitive files on a targeted server by uploading a maliciously crafted tar file.
As a result of this the flaw affects only Drupal websites that are configured to process .tar, .tar.gz, .bz2, or .tlz files uploaded by untrusted users.
The Drupal developers stated that a proof-of-concept exploit for this vulnerability already exists and that it is possible to see hackers actively exploiting this flaw in the wild to target Drupal websites.
Moderately Critical Drupal Vulnerabilities
Three “moderately critical” vulnerabilities in the Core software were also patched by the developers. They are
Denial of Service (DoS): The install.php file used by Drupal 8 Core has a flaw which could be exploited by a remote, unauthenticated attacker to impair the availability of a targeted website by corrupting its cached data.
Security Restriction Bypass: The file upload function in Drupal 8 does not strip leading and trailing dot (‘.’) from filenames, which can be used by an attacker with file upload ability to overwrite arbitrary system files, such as .htaccess to bypass security protections.
Unauthorized Access: This vulnerability is found in Drupal’s default Media Library module when it doesn’t correctly restrict access to media items in certain configurations. So, it allows a low-privileged user to gain unauthorized access to sensitive information.
The developers said that the affected web admins can mitigate the access media bypass vulnerability by unchecking the “Enable advanced UI” checkbox on /admin/config/media/media-library, though this mitigation is not available in 8.7.x.
These “moderately critical” vulnerabilities have been patched with the release of Drupal versions 8.7.11 and 8.8.1, but no proof-of-concept for these flaws were made available.
As the critical Drupal vulnerability has a proof-of-concept, those users running vulnerable versions of Drupal are highly recommended to update their CMS to the latest Drupal core release at the earliest.