Security vulnerabilities fixed in latest Drupal versions

After addressing several vulnerabilities, Drupal  has asked
its user to upgrade its existing Drupal 7 and 6 sites.

A XSS vulnerability found in the auto-complete functionality
of forms as the requested URL is not sanitized properly, which affected both
Drupal 6 and 7. The flaw could allow an attacker to upload files to vulnerable
websites under another user’s account.
“For security reasons, the autocomplete system now makes
Ajax requests to non-clean URLs only, although protection is also in place for
custom code that does so using clean URLs,” Drupal explained.
The Drupal, which is used by more than 1.1 million websites,
published a security advisory on August 19 confirming that it had patched several
vulnerabilities in its versions 7.39 and 6.37.
It revealed that the version 7 was affected by a cross-site
scripting (XSS) vulnerability that could allow an attacker to launch attacks by
invoking Drupal.ajax() on a whitelisted HTML element.
Drupal developers warn that version 7 of the CMS is plagued
by a SQL injection vulnerability that allows an attacker with elevated
privileges to inject malicious code in SQL comments. The flaw, found in the SQL
comment filtering system, can only be exploited on one contributed module.
“When form API token validation fails (for example, when a
cross-site request forgery attempt is detected, or a user tries to submit a
form after having logged out and back in again in the meantime), the form API
now skips calling form element value callbacks, except for a select list of
callbacks provided by Drupal core that are known to be safe. In rare cases,
this could lead to data loss when a user submits a form and receives a token
validation error, but the overall effect is expected to be minor,” Drupal said
in the advisory.
The last vulnerability patched in Drupal 6 and 7 is an
information disclosure issue related to menu links.
“Users without the ‘access content’ permission can see the
titles of nodes that they do not have access to, if the nodes are added to a
menu on the site that the users have access to,” reads Drupal’s advisory.
The vulnerabilities affect Drupal core 6.x versions prior to
6.37 and Drupal core 7.x versions prior to 7.39. CVE identifiers have yet to be
assigned to these vulnerabilities.

Leave a Reply