Third in line for the world’s most popular Content Management System after juggernaut WordPress and Joomla, Drupal is a sought after CMS powering websites including MTV, Popular Science, Sony Music, Harvard and MIT. Like every other CMS, Drupal has been at the center of notoriety a few times due to impending vulnerabilities in it. Listed below are the 5 most critical vulnerabilities ever found on Drupal.

1. Drupal Core Critical Access Bypass

A critical access bypass vulnerability recently came to light rendering Drupal based websites at the peril of hacking. Successful exploitation of the vulnerability can lead to a complete compromise of data confidentiality and website integrity. This affects the Drupal 8 version, users of which were advised to upgrade to the newly released 8.3.1 or 8.2.8 versions.

To exploit this vulnerability, a website should have the RESTful Web Services enabled. The site should also allow PATCH requests. Furthermore, the attacker needs to register a new user account on the website or gain access to an existing one.

2. SQL Injection Vulnerability

The Drupal 7 database API abstraction layer became vulnerable to an SQL Injection attack. The vulnerability  SA-CORE-2014-005 impacts all Drupal core 7.x versions prior to 7.32. This vulnerability allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.

To curb this, Drupal released remediation steps. However, the first step is to upgrade and/or patch your Drupal version. This will not discover or remove malicious code that may have been added by attackers, for which the site owners would require restoring backups.

3. Code Execution Vulnerability

CVE-2017-6381CVE-2017-6381 Drupal had also been deemed as vulnerable to code execution putting it at peril to database credential theft. To exploit the CMS flaw, the attacker would have to be on the same network and execute as a middle man.

The vulnerability rose by the way Drupal handled updates. The key reason for this flaw is the transfer of Drupal security updates without a prior authenticity check. This lead to users ultimately resorting to manual download of updates and their add ons. The vulnerability can be exploited to further prevent reception of update alerts and entice admins to install modules from unreliable servers. 

4. CSRF Vulnerability

In addition to the code execution flaw, the insecure update process of Drupal v7 also rendered the CMS to CSRF attacks. Due to a CSRF vulnerability on the update, an attacker may force an admin to check for updates. He would do so by to eavesdropping on the victim’s network traffic.

Such situations generally occur when a client communicates with the server over an insecure connection, such as public WiFi, or a corporate or home network that is shared with a compromised computer. The Drupal Form API protects against CSRF using special tokens in the automatically added forms. Read here to know more about CSRF attacks and how to mitigate them.

5. Cross Site Scripting Vulnerability

The Cross-site scripting (XSS) vulnerability CVE-2016-7571 in versions less than Drupal 8.1.10 allow remote attackers to inject arbitrary web script or HTML via vectors.

XSS is a type of code vulnerability that allows malicious code to be injected inside your browser without the website owner’s consent or knowledge. The malicious content is usually in the form of a Javascript code, HTML or any form of code executable by the browser. The end user has no way of suspecting the unreliable script and will end up executing it. Once injected, the script gains access to any cookies, session tokens or sensitive info used by this site.

Contact Astra to secure your Drupal website from such potential threats.

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Bhagyeshwari Chauhan

An engineering grad and a technical writer, Bhagyeshwari blogs about web security, futuristic tech and space science.

2 Comments

  1. Multiple Privilege Escalation Vulnerabilities Found in Drupal 8.4.x & 7.x [Update Immediately] - Astra Web Security Blog - Reply

    […] Like any other CMS, Drupal has been at the focal point of reputation a couple of times because of looming vulnerabilities in it. The feature that makes it stand ahead considered being its flexibility along with the […]

  2. Detailed Guide on Website Malware Attacks: Causes, Consequences & Steps to Fix - Astra Web Security Blog - Reply

    […] Vulnerabilities: CMS’s like WordPress, OpenCart, Magento, Drupal, Joomla etc. all have had critical vulnerabilities discovered in them. These vulnerabilities leave […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close