Drupal, an open source content management system which is used by several organizations including the White House, the Prince of Wales, British Council EAL and Amnesty International, has urged its users who are using either Drupal 6 or Drupal 7 to upgrade their websites versions immediately.
Drupal 6 users are requested to upgrade it to version 6.36 and Drupal 7 users to version 7.38.
The Drupal Security Team has released critical software updates in order to stop the flaws that leave numerous businesses and government organizations open to attack.
“A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts,” the company’s advisory reads.
“This vulnerability is mitigated by the fact that the victim must have an account with an associated OpenID identity from a particular set of OpenID providers (including, but not limited to, Verisign, LiveJournal, or StackExchange),” the advisory explains.
The vulnerability could allow the attackers to impersonate other users, including all-powerful administrators, and thereby gain control of an unpatched website.
“The Field UI module uses a "destinations" query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks,” the advisory reads.
“Similarly, the overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability,” the advisory explains.
The vulnerability is mitigated by the fact that it can only be used against site users who have the "Access the administrative overlay" permission, and that the Overlay module must be enabled.