June 23, 2015 by Ben Chafetz

Inside Drupal’s Recent Critical Security Vulnerability

If you’re like most business owners out there, while your company has a website, your own particular skill set is not in software and web design. Yet that’s OK, because as you know, there are some excellent content management systems out there that make managing your site a breeze. Drupal ranks among one of the most popular due to its user-friendly nature. However, a recently exposed Drupal critical security vulnerability has left the CMS giant scrambling to get the needed security patch in place for millions of users around the globe.

The Issues

Drupal, through its security team, recently released information that highlighted several bugs encountered within versions 6 and 7 of the CMS. One deals with an information disclosure that could potentially allow someone’s cached content to be viewed by unauthorized users. Two others are open redirect issues found exclusively in Drupal 7. The first is in the overlay module, where insufficient validation of user URLs could allow attackers to redirect users on the system to third party sites. The second vulnerability is a similar problem found within the Field UI Module.

However, the greatest potential problem found during this episode was located in the OpenID module. This is a single sign-on extension that allows you to log into your site via OpenID. Attackers can access sites with OpenID identities acquired from a number of popular providers, including

  • StackExchange
  • Verisign
  • LiveJournal
  • Plus many others

With this access, they can log into a website using the “Log in with OpenID” option located on the login page. Once in, attackers can pose as site administers to take over and hijack the site.

Drupal’s Response

Having isolated the issues, Drupal has created and released updated versions of Drupal 6 and 7. They are now encouraging users of version 6 to Drupal 6.36 and 7 to Drupal 7.38, respectively. While the secure, updated versions have been available for a couple weeks, you have to assume that these bugs will remain an issue for the immediate future. After all, Drupal is one of the most popular CMS’s on the market, owning over 2 percent of the global market share. That represents tens of millions of customers whose sites are exposed to this latest batch of vulnerabilities.

The major problem in upgrading that you may encounter should you use Drupal as your CMS is that updates to the system have to be installed manually. Most program or software subscribers assume that their systems are updated automatically once upgrades are released. However, that’s not always the case. Drupal and many other systems out there require manual updates, meaning that if you haven’t installed any updates on your system, your version of Drupal is the same as the day that it was installed. While this means that you may not be enjoying all of the new features released since then, it also means that you’ve been subject to any of the vulnerabilities linked to that particular version. Updater programs are available that allow for upgrades to be automated, but their use requires a level of technical skill that many users simply don’t have.

The Need to Upgrade Now

Cybersecurity issues are nothing new. Yet if this is the first time that you or your company has personally been involved in one, you may not appreciate just how little time attackers need to exploit vulnerabilities. They will often identify them even before the program developers themselves. Once they do, they get right work developing automated tools that will quickly find all of the sites subject to certain issues. As soon as those are in place, a full-on assault can be launched without even having to have an attacker sitting at the proverbial wheel to direct it. In such a high-tech (not to mention high-stakes) game of cat-and-mouse, all attackers often need is a time window as small as few minutes in order to gain the upper hand. Another advisory warning issued by Drupal in late 2014 illustrates this point. In that case, an announcement released only 7 hours after the bug involved was discovered warned users that systems running on the affected version that had not yet been updated should be considered compromised.

Your decision to go with Drupal as your CMS may have been prompted because of its ease of use. Yet this most recent security threat highlights the need to have a web development resource that you can turn to in order to upgrade your system as needed. That way, you’re not left panicking as so many others are right now. Our team here at 121 eCommerce can be the partner that you need in order to ensure that your infrastructure remains secure. We have the tools and the technical know-how to keep you protected.

Sign up for blog updates

Let's get started

Call 216.586.6656