Drupal issued a security advisory of four critical vulnerabilities rated from moderately critical to critical. The vulnerabilities affect Drupal versions 9.3 and 9.4.
The security advisory warned that the various vulnerabilities could allow an hacker to execute arbitrary code, putting a site and server at risk.
One of the vulnerabilities affects Drupal version 7 in addition to 9.3 & 9.4 (Information Disclosure vulnerability CVE-2022-25275).
Additionally, any versions of Drupal prior to 9.3.x have reached End of Life status, which means that they are no longer receiving security updates, making them risky to use.
Critical Vulnerability: Arbitrary PHP Code Execution
An arbitrary PHP code execution vulnerability is one in which an attacker is able to execute arbitrary commands on a server.
The vulnerability unintentionally arose due to two security features that are supposed to block uploads of dangerous files but failed because they didn’t function well together, resulting in the current critical vulnerability which can result in a remote code execution.
“…the protections for these two vulnerabilities previously did not work correctly together.
As a result, if the site were configured to allow the upload of files with an htaccess extension, these files’ filenames would not be properly sanitized.
This could allow bypassing the protections provided by Drupal core’s default .htaccess files and possible remote code execution on Apache web servers.”
A remote code execution is when an attacker is able to run a malicious file and take over a website or the entire server. In this particular instance the attacker is able to attack the web server itself when running the Apache web server software.
Apache is an open source web server software upon which everything else like PHP and WordPress run. It’s essentially the software part of the server itself.
Access Bypass Vulnerability
This vulnerability, rated as moderately Critical, allows an attacker to alter data that they’re not supposed to have access to.
According to the security advisory:
“Under certain circumstances, the Drupal core form API evaluates form element access incorrectly.
…No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.”
Drupal published a total of four security advisories:
- Drupal core – Critical – Arbitrary PHP code execution – SA-CORE-2022-014
- Drupal core – Moderately critical – Multiple vulnerabilities – SA-CORE-2022-015
- Drupal core – Moderately critical – Access Bypass – SA-CORE-2022-013
- Drupal core – Moderately critical – Information Disclosure – SA-CORE-2022-012 (This also affects Drupal 7 in addition to 9.3 & 9.4)
This advisory warns of multiple vulnerabilities affecting Drupal that can expose a site to different kinds of attacks and outcomes.
These are some of the potential issues:
- Arbitrary PHP code execution
- Cross-site scripting
- Leaked cookies
- Access Bypass vulnerability
- Unauthorized data access
- Information disclosure vulnerability
Updating Drupal Recommended
The security advisory from Drupal recommended immediately updating versions 9.3 and 9.4.
Users of Drupal version 9.3 should upgrade to version 9.3.19.
Users of Drupal version 9.4 should upgrade to version 9.4.3.
Drupal Core Security Advisories
Drupal core – Critical – Arbitrary PHP code execution
Featured image by Shutterstock/solarseven