Multiple vulnerabilities in Drupal Core could allow Unauthorized Access (DRUPAL-SA-CORE-2016-001)

ITS Advisory Number: 
2016-033
Date(s) Issued: 
Wednesday, February 24, 2016
Subject: 
Multiple vulnerabilities in Drupal Core could allow Unauthorized Access (DRUPAL-SA-CORE-2016-001)
Overview: 

Drupal is an open source content management system (CMS) written in PHP. Multiple vulnerabilities have been reported in Drupal core versions 6, 7, and 8 these vulnerabilities includes: access bypass within the Form API, http header injection using line breaks, open redirect via path manipulation, brute force attacks via XML-RPC, file upload access bypass and denial of service. The most critical of the above vulnerabilities is the Form API access bypass affecting Drupal 6. A successful exploitation could allow an attacker to manipulate and submit input associated with form buttons that should normally be blocked for non-administrators.

Systems Affected: 
  • Drupal core 6.x versions prior to 6.38
  • Drupal core 7.x versions prior to 7.43
  • Drupal core 8.0.x versions prior to 8.0.4
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Multiple vulnerabilities were discovered in the Drupal Core 6, 7 and 8. These vulnerabilities could allow Unauthorized Access. Specifically, the vulnerabilities are as follows:

  • File upload access bypass and denial of service vulnerability was found in the File module that allows a malicious user to view, delete or substitute link to a files.
  • Brute force amplification attacks via XML-RPC; The XML-RPS system allows a large number of calls to the same method at once.
  • Open redirect via path manipulation in Drupal 6 and 7; current path can be populated with external URL leading to an open redirect vulnerabilities.
  • Form API ignores access restrictions on submit buttons. This vulnerability allows input to be submitted (for example using JavaScript for form button elements).
  • HTTP header injection using line breaks. A vulnerability in the drupal_set_header() function allows an HTTP header injection attack to be performed if user-generated content is passed as a header value on sites running PHP versions older than 5.1.2.
  • Open redirect via double-encoded 'destination' parameter. The drupal_goto() function in Drupal 6 improperly decodes the contents of $_REQUEST['destination'] before using it, which allows the function's open redirect protection to be bypassed and allows an attacker to initiate a redirect to an arbitrary external URL.
  • Reflected file download vulnerability that could allow an attacker to trick a user into downloading and running a file with arbitrary JSON-encoded content.
Actions: 
  • If you use Drupal 6.x, upgrade to Drupal core 6.38
  • If you use Drupal 7.x, upgrade to Drupal core 7.43
  • If you use Drupal 8.0.x, upgrade to Drupal core 8.0.4