Drupal plugs critical vulnerability leaving thousands of websites open to attack

Posted on Posted in Hacker News
Open source content management system (CMS) service Drupal has rushed out a wave of security updates plugging flaws that leave numerous businesses and government departments open to attack.
Drupal flaw leaves big names open to attack

The updates include a critical patch to Drupal 6 and 7 Core that could be exploited by hackers for a variety of purposes.

“A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts,” read the advisory.

“Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a third-party website, thereby exposing the users to potential social engineering attacks.”

Drupal is a CMS service used by big names including the White House, the Prince of Wales, Tesla Motors, Peugeot, Oxfam, British Council EAL and Amnesty International.

The remaining fixes are ranked as “less critical” and address open redirect and information disclosure bugs in Drupal 7.

“The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window,” explained the advisory.

“The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.

“On sites using Drupal 7’s render cache system to cache content on the site by user role, private content viewed by user may be included in the cache and exposed to non-privileged users.”

The widespread use of Drupal led the US Computer Emergency Response Team to issue an advisory urging “users and administrators to review Drupal’s security advisory and apply the necessary updates”.

Drupal is one of many digital service providers to issue critical security updates in recent weeks.

Canonical released several patches earlier in June addressing flaws in the Linux kernel and OpenSSL that left Ubuntu users open to escalation of privilege and denial-of-service attacks.

Quelle: V3.co.uk