Drupal announced two vulnerabilities affecting versions 9.2 and 9.3 that could allow an attacker to upload malicious files and take control of a site. The threat levels of the two vulnerabilities are rated as Moderately Critical.
The United States Cybersecurity & Infrastructure Security Agency (CISA) warned that the exploits could lead to an attacker taking control of a vulnerable Drupal-based website.
“Drupal has released security updates to address vulnerabilities affecting Drupal 9.2 and 9.3.
An attacker could exploit these vulnerabilities to take control of an affected system.”
Drupal is a popular open source content management system written in the PHP programming language.
Many major organizations like Smithsonian Institution, Universal Music Group, Pfizer, Johnson & Johnson, Princeton University, and Columbia University use Drupal for their websites.
Form API – Improper Input Validation
The first vulnerability affects Drupal’s form API. The vulnerability is an improper input validation, which means that what is uploaded via the form API is not validated as to whether it is allowed or not.
Validating what is uploaded or input into a form is a common best practice. In general, the input validation is done with an Allow List approach where the form expects specific inputs and will reject anything that does not correspond with the expected input or upload.
When a form fails to validate an input then that leaves the website open to the upload of files that can trigger unwanted behavior in the web application.
Drupal’s announcement explained the specific issue:
“Drupal core’s form API has a vulnerability where certain contributed or custom modules’ forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.”
Drupal Core – Access Bypass
Access bypass is a form of vulnerability where there may be a way to access to a part of the site through a path that is missing an access control check, resulting in some cases a user being able to gain access to levels they don’t have permissions for.
Drupal’s announcement described the vulnerability:
“Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content.”
Publishers Encouraged to Review Security Advisories and Apply Updates
The United States Cybersecurity and Infrastructure Security Agency (CISA) and Drupal encourage publishers to review the security advisories and update to the latest versions.