An actively exploited Drupal vulnerability – tracked as CVE-2017-6922 – has been patched this week. The flaw, which affects Drupal v 7.56 and 8.3.4, is being exploited.
The flaw is an access bypass vulnerability that Drupal was aware of since last October, although a patch has only just been issued. The flaw can be exploited on misconfigured websites, allowing anonymous users to upload files which are stored in a public file system and can therefore be accessed by other anonymous users. Private files that are not attached to website content should only be accessible by the individual that uploaded the files. The vulnerability only affects websites that permit file uploads by anonymous or untrusted visitors.
Drupal says anonymous users could upload images or other files via webforms on a site that the website maintainer would not want to be accessed by other individuals. The Drupal vulnerability is being exploited for spam purposes. Malicious actors can point search engines to those files or direct users to the files via spam email campaigns.
A critical improper field validation flaw – CVE-2017-6921 – has also been fixed. This flaw would also allow a malicious actor to upload files to a vulnerable website if the RESTful Web Services module is enabled. The module allows PATCH requests which would enable an individual to register an account on the site with permissions to upload files and modify the file resource. The flaw exists in Drupal core versions prior to 8.3.4.
Another Drupal vulnerability – CVE-2017-6920 – affecting version 8.3.4 has also been fixed with this week’s round of updates. CVE-2017-6920 is a remote code execution vulnerability also rated as critical. The patch changes how unsafe objects are handled by the PECL YAML parser. This Drupal vulnerability could be exploited on unpatched Drupal versions allowing remote code execution. This Drupal vulnerability exists in core versions 7.x prior to 7.56 and 8.x versions prior to 8.3.4.