The open source Drupal content management platform is among the top free CMS in the world, with an estimated 15 million downloads according to one source. However, a researcher has warned of three security update issues that infosec pros and Web administrators need to pay attention to.
In a blog published Wednesday, Fernando Arnaboldi of security consultancy IOActive said he’s found that
–if the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning;
–an attacker may force an admin to check for updates due to a cross-site request forgery vulnerability (CSRF) on the update functionality;
–and Drupal security updates are transferred unencrypted without checking the authenticity, which could lead to code execution and database access.
For the time being, he said, administrators should manually download updates for Drupal and any plug-ins being used.
In an email Thursday to ITWorldCanada.com Drupal security team member Greg Knaddison said developers will have a detailed response shortly. But for now they feel “the risk/impact has been overstated.
UPDATE: On Friday the Drupal security team published this response. On the update failure, it acknowledged that “This is not ideal and should be corrected.” However, it added, the impact is limited to only one page of the Drupal administrative interface. All other pages in the admin interface warn about failures correctly. Also, the Drupal Security Team publishes advisories in many ways (html, email, rss, Twitter, and this update mechanism).
On the complaint that security updates are unencrypted, the team says it has now switched to use HTTPS by default and are working to add SSL to anonymous downloads via version control (git). The next step is to release an updated Drupal core. In the meantime administrators should manually download release archives from their project pages, and use a supported version of drush (7 or higher) to obtain downloads or update information. “This will be fully secure after approximately 21:00 UTC on January 8th when rebuilding all the release XML files has been finished,” the team says.
Also this week Drupal competitor WordPress released version 4.4.1 with a number of security fixes including one for a cross-site scripting vulnerability. WordPress “strongly” encourages users to update their platforms.
Drupal, now on version 8.0.2, is used by a number of organizations around the world. There are Drupal support groups in Ottawa, Montreal, Waterloo and Toronto.
Arnaboldi said he discovered the first problem a few days after installing Drupal v7.39, when learned security update v7.41 was available. However, according to his local instance, his software was up to date. “The issue was due to some sort of network problem,” he wrote. Apparently in Drupal 6 there was a warning message if an update failed, but not present in Drupal 7 or Drupal 8, he said.
Other Web sites that have seen this have noted the warning failure could make administrators think their unpatched systems are safe.
While administrators could use Drupal’s Check Manually link, Arnaboldi cautions that in versions before Drupal 8 that link has a CSRF vulnerability. To exploit unencrypted updates, he says, an attacker must be able to eavesdrop on the victim’s network traffic — likely when a client communicates with the server over an insecure connection. Another possible attack vector is to offer a backdoored version of any of the modules installed on Drupal.