Drupal is a free, open source software that can be used to easily create and manage many types of Web sites. Drupal also includes a Content Management Platform and a development framework. A set of critical vulnerabilities was identified and fixed in Drupal, the most severe of which could allow an attacker to overwrite sensitive files on a targeted server. Drupal has also pointed out that a proof of concept code exists for the vulnerability and could soon be incorporated in wide-spread attacks considering the popularity of Drupal websites.
Highly Critical Vulnerabilities
- SA-CORE-2019-012 patches multiple highly critical vulnerabilities affecting a third party library Archive_Tar, used by Drupal in certain configurations. The vendor states that multiple vulnerabilities are possible when Drupal is configured to allow upload and processing of
.tlzfiles. An attacker can exploit this vulnerability to overwrite sensitive files by uploading maliciously crafted .tar files.
Moderately Critical Vulnerabilities
- SA-CORE-2019-009 : A flaw exists in
install.phpwhich can be used by an unauthenticated attacker to corrupt the cached data, leading to a denial of service condition caused by impairment of a site until the caches are rebuilt. Drupal suggests blocking access to
install.phpif it is not required.
- SA-CORE-2019-010 : Multiple flaws reside in
file_save_upload()function which can allow an attacker with the ability to upload files to bypass security protections by overwriting arbitrary files such as .htaccess . This bug exists because the
file_save_upload()function does not strip the leading and trailing dot (‘.’) from filenames.
- SA-CORE-2019-011 : A flaw exists in the Media Library module which allows attackers with low privileges to gain unauthorized access to sensitive data. This vulnerability arises due to improper restrictions on access to media files in certain configurations.
Drupal versions 7.x before 7.69, 8.7.x before 8.7.11, 8.8.x before 8.8.1
An attacker can upload malicious files to overwrite sensitive files, bypass security restrictions, gain unauthorized access to sensitive data and cause denial of service condition.
Upgrade to Drupal 7.69, 8.7.11, or 8.8.1 or later.