A researcher has identified three security issues in Drupal that could expose unsuspecting web admins to various attacks.
Fernando Arnaboldi, a senior security researcher and consultant at IOActive, discusses the three issues in a post on his company’s blog.
The first issue is that when the Drupal update process fails, certain versions of Drupal will not display an error/warning message and will instead state that everything is up-to-date.
“Just a few days after installing Drupal v7.39, I noticed there was a security update available: Drupal v7.41,” explains Arnaboldi. “This new version fixes an open redirect in the Drupal core. In spite of my Drupal update process checking for updates, according to my local instance, everything was up to date.”
The researcher goes on to note that while Drupal 6 did notify users with a warning message, Drupal 7 and Drupal 8 currently do not.
Softpedia correctly notes that this lack of notification could lead those administering websites that are running Drupal 7 and 8 into a false sense of security. In the belief that Drupal is up-to-date, the admins might not pursue the matter further and therefore could leave their websites vulnerable to thousands of bugs.
Web admins could check for Drupal updates manually to get around this bug. But this leads into the second issue: an attacker could use the “Check Manually” link to perform a cross-site request forgery (CSRF) attack and force an admin to check for updates whenever they choose.
“Since there is a CSRF vulnerability in the “Check manually” functionality (Drupal 8 is the only one not affected), this could also be used as a server-side request forgery (SSRF) attack against drupal.org,” Arnaboldi observes. “Administrators may unwillingly be forcing their servers to request unlimited amounts of information from updates.drupal.org to consume network bandwidth.”
The researcher went on to tell Threatpost how this same method of attack could be used to create a denial of service condition with websites that are running older versions of Drupal.
Whether an admin updates automatically or manually, however, they are still vulnerable to the third security issue in that Drupal updates are sent unencrypted. An attacker could therefore eavesdrop on network traffic and modify a Drupal update’s plaintext XML file to point to a backdoored version of Drupal.
Alternatively, a malicious actor could simply create a backdoored version of Drupal and have an admin install it automatically.
“Offering fake updates is a simple process,” the researcher observes. “Once requests are being intercepted, a fake update response can be constructed for any module. When administrators click on the “Download these updates” buttons, they will start the update process.”
Arnaboldi was able to use this process to send an update to a user that included a reverse shell from pentestmonkey, which connected back to the researcher and allowed him to both interact with the reverse shell and retrieve the Drupal database password.
At this time, there are no fixes available despite the fact that Drupal has known about at least one of these issues since 2012. Web admins are therefore urged to install all Drupal updates manually on a trusted network.
News of these security issues follow a major SQL injection vulnerability discovered in October 2014 that was presumed to have compromised ALL Drupal 7 websites that did not update to Drupal 7.32 within a period of several hours.