5 Most Critical Vulnerabilities Ever Found on Drupal
Third in line for the world’s most popular Content Management System after juggernaut WordPress and Joomla, Drupal is a sought after CMS powering websites including MTV, Popular Science, Sony Music, Harvard and MIT. Like every other CMS, Drupal has been at the center of notoriety a few times due to impending vulnerabilities in it. Listed below are the 5 most critical vulnerabilities ever found on Drupal.
1. Drupal Core Critical Access Bypass
A critical access bypass vulnerability recently came to light rendering Drupal based websites at the peril of hacking. Successful exploitation of the vulnerability can lead to a complete compromise of data confidentiality and website integrity. This affects the Drupal 8 version, users of which were advised to upgrade to the newly released 8.3.1 or 8.2.8 versions.
To exploit this vulnerability, a website should have the RESTful Web Services enabled. The site should also allow PATCH requests. Furthermore, the attacker needs to register a new user account on the website or gain access to an existing one.
2. SQL Injection Vulnerability
The Drupal 7 database API abstraction layer became vulnerable to an SQL Injection attack. The vulnerability SA-CORE-2014-005 impacts all Drupal core 7.x versions prior to 7.32. This vulnerability allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.
To curb this, Drupal released remediation steps. However, the first step is to upgrade and/or patch your Drupal version. This will not discover or remove malicious code that may have been added by attackers, for which the site owners would require restoring backups.
3. Code Execution Vulnerability
CVE-2017-6381CVE-2017-6381 Drupal had also been deemed as vulnerable to code execution putting it at peril to database credential theft. To exploit the CMS flaw, the attacker would have to be on the same network and execute as a middle man.
The vulnerability rose by the way Drupal handled updates. The key reason for this flaw is the transfer of Drupal security updates without a prior authenticity check. This lead to users ultimately resorting to manual download of updates and their add ons. The vulnerability can be exploited to further prevent reception of update alerts and entice admins to install modules from unreliable servers.
4. CSRF Vulnerability
In addition to the code execution flaw, the insecure update process of Drupal v7 also rendered the CMS to CSRF attacks. Due to a CSRF vulnerability on the update, an attacker may force an admin to check for updates. He would do so by to eavesdropping on the victim’s network traffic.
Such situations generally occur when a client communicates with the server over an insecure connection, such as public WiFi, or a corporate or home network that is shared with a compromised computer. The Drupal Form API protects against CSRF using special tokens in the automatically added forms. Read here to know more about CSRF attacks and how to mitigate them.
5. Cross Site Scripting Vulnerability
Contact Astra to secure your Drupal website from such potential threats.