Drupal announced two vulnerabilities affecting versions 9.2 and 9.3 that could allow an attacker to download malicious files and take control of a site. The threat levels of both vulnerabilities are classified as moderately critical.
The US Cybersecurity & Infrastructure Security Agency (CISA) has warned that the exploits could lead an attacker to take control of a vulnerable Drupal-based website.
CISA said:
“Drupal has released security updates to address vulnerabilities affecting Drupal 9.2 and 9.3.
An attacker could exploit these vulnerabilities to take control of an affected system.
Drupal
Drupal is a popular open source content management system written in the PHP programming language.
Many large organizations such as the Smithsonian Institution, Universal Music Group, Pfizer, Johnson & Johnson, Princeton University, and Columbia University use Drupal for their websites.
Form API – Invalid input validation
The first vulnerability affects Drupal’s form API. The vulnerability is improper input validation, which means that what is uploaded via the form API is not validated as to whether it is authorized or not.
Validating what is uploaded or entered into a form is a common best practice. In general, input validation is done with an allowed list approach where the form expects specific inputs and will reject anything that does not match the expected input or upload.
When a form fails to validate an input, it leaves the website open to uploading files that can trigger unwanted behavior in the web application.
Drupal’s announcement explained the specific issue:
“The Drupal Core Form API has a vulnerability where certain contributed or custom module forms may be vulnerable to improper input validation. This could allow an attacker to inject unauthorized values or overwrite Affected forms are rare, but in some cases an attacker could modify critical or sensitive data.
Drupal Core – Access Bypass
Access bypass is a form of vulnerability where there may be a way to access part of the site through a path that is missing an access control check, which in some cases allows a user to access levels it does not have permissions for.
Drupal’s announcement describes the vulnerability:
“Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API has not been fully integrated with existing permissions, which has resulted in a potential access bypass for users who have access to content reviews in general, but do not have access to individual items of node and multimedia content.
Publishers are encouraged to review security advisories and apply updates
The US Cybersecurity and Infrastructure Security Agency (CISA) and Drupal encourage vendors to review security advisories and update to the latest versions.
Quotes
Read the official Drupal CISA vulnerability bulletin
Drupal releases security updates
Read the two Drupal security announcements
Drupal Core – Moderately Critical – Bad Input Validation – SA-CORE-2022-008
Drupal Core – Moderately Critical – Access Bypass – SA-CORE-2022-009
