Drupal has released security updates for four vulnerabilities affecting versions 6 and 7 of the content-management system, including a critical bug that could allow attackers to hijack legitimate users’ accounts.
The vulnerability (CVE-2015-3234) lies in Drupal’s OpenID module, which enables users to authenticate themselves using the OpenID protocol.
OpenID is a secure login method that neither requires any special software nor shares any passwords with any sites to which it is associated. As such, it is implemented across many different websites.
“A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts,” Drupal’s security advisory reads. “This vulnerability is mitigated by the fact that the victim must have an account with an associated OpenID identity from a particular set of OpenID providers (including, but not limited to, Verisign, LiveJournal, or StackExchange).”
Three other less critical vulnerabilities have also received patches from Drupal.
The first (CVE-2015-3232) affects websites using the Field UI module and allows malicious actors to construct a URL to redirect visitors to third-party websites, where they might be exposed to social engineering attacks..
The third and final less critical vulnerability (CVE-2015-3231) is in an information disclosure hole in Drupal 7’s render cache system that allows non-privileged users to access private content viewed by user 1.
The United States Computer Response Readiness Team (US-CERT) has issued an advisory about Drupal’s security releases. It urges that users and administrators implement the recommended security updates as soon as possible.
These latest vulnerabilities are dwarfed by a highly critical SQLi flaw in Drupal 7 websites that was announced in October of last year. The vulnerability eventually became targeted by automated remote exploits after receiving an official patch.