Drupal releases new versions to patch vulnerabilities

News by Danielle Correa

The developer of Drupal, a popular open source content management system, has released versions 6.36 and 7.38 to patch numerous vulnerabilities. The releases address open redirect, information disclosure and access bypass bugs. 

This critical access bypass flaw allows attackers to impersonate users and hijack their accounts and affects both Drupal 6 and 7. The vulnerability can only be exploited against users who have an OpenID account from certain providers (eg Verisign, LiveJournal and others).

Experts have also discovered two other less critical vulnerabilities in Drupal 7.  One of these bugs affects the Field UI module and is related to the destinations query string parameter that is used in URLs to redirect users to a new page after completing an action on administration pages. This bug does not affect Drupal 6, but uses a similar open redirect vulnerability that involves the Content Construction Kit (CCK).

Other open redirect attacks are possible in Drupal 7 due to a bug related to the Overlay module. The module uses JavaScript in order to display admin pages in a new layer on top of the current page.

The latest version of Drupal 7 also mends an information disclosure bug related to the render cache system. Some Drupal websites use the system to cache content by user role.

Users are advised to update their installations as soon as possible.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews