TTCSIRT-092.022318: TT-CSIRT Advisory – Drupal Security Updates

TTCSIRT-092.022318: TT-CSIRT Advisory – Drupal Security Updates

Drupal has released several security updates to make developers ware that multiple vulnerabilities exist in both Drupal 7 and Drupal 8 including

a) Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content.

b) Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.

c) When using Drupal’s private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.

d) A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains.

e) When using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability.

f) Drupal core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.

Further information on these vulnerabilities and how they can be fixed can be found on the Drupal Website at https://www.drupal.org/sa-core-2018-001