Drupal developers released versions 6.36 and 7.38 to address multiple vulnerabilities.
These maintenance and security releases address open redirect, information disclosure, and access bypass vulnerabilities for the open source content management system (CMS).
Drupal 6 and 7 suffer from a critical access bypass flaw (CVE-2015-3234) that allows an attacker to impersonate users and hijack their accounts, according to an advisory.
The security hole exists in the OpenID module and attackers can leverage it by logging in to vulnerable websites as other users, including administrators.
Drupal said the vulnerability can only end up exploited against users who have an OpenID account from certain OpenID providers. The list includes Verisign, LiveJournal, StackExchange and others.
Researchers also uncovered two “less critical” open redirect vulnerabilities in Drupal 7. One of these bugs affects the Field UI module and relates to the “destinations” query string parameter used in URLs to redirect users to a new page after they complete an action on certain administration pages.
An attacker can leverage this parameter to create a URL that will redirect users to third party websites. The vulnerability (CVE-2015-3232) can prove highly useful in social engineering attacks. Drupal said only sites with the Field UI module enabled suffer from the issue.
Drupal 6 does not have this bug, but it suffers from a similar open redirect vulnerability involving the Content Construction Kit (CCK), a set of modules that allow users to add custom fields to nodes using a web browser.
An attack leveraging this vulnerability only works if the Overlay module ends up enabled and the targeted user has the “Access the administrative overlay” permission.
The latest version of Drupal 7 also patches an information disclosure flaw related to the render cache system (CVE-2015-3231). Some Drupal websites use the render cache system to cache content by user role. The problem is private content viewed by “user 1” (a special account created during installation) might end up included in the cache, making it accessible to non-privileged users.