Drupal is not as popular as WordPress but is used by some fairly serious content businesses. Now IOActive’s Fernando Arnaboldi has warned that there are three major flaws in Drupal’s update process that may allow attackers to poison Drupal installations via update packages.
In the worst cases, even servers can be taken over.
Drupal can be updated from its backend administration panel, just by pressing a button. The CMS is also fitted with an automatic update checker, for both its core and its modules. This lets admins know when a new version is out and allows them to quickly apply the update package and move on to other more important things.
The first problem is with failed update queries. Because of various connectivity issues, Drupal sites may sometimes fail when checking for an update. When this happens, the CMS prints the “All your projects are up to date” message, instead of clearly stating that the update has failed to complete.
Attackers could flood local networks with traffic when an update process is taking place, forcing the CMS to print an erroneous update status in the backend.
The Drupal admin might think their site is up to date when in reality it remains vulnerable for tens of dangerous bugs, which can quickly add up when not keeping the CMS properly updated.
Arnaboldi said that the second issue has to do with the “Check manually” button included on the Drupal update page. This button allows the site’s administrators to check for new updates on command, and later apply the update. This button is vulnerable to CSRF (Cross-Site Request Forgery) attacks.
“Administrators may unwillingly be forcing their servers to request unlimited amounts of information from updates.drupal.org to consume network bandwidth,” he wrote.
The third flaw is more critical and has to do with the fact that Drupal’s update process is unencrypted. By sending everything in cleartext, an attacker present on the local network in the form of an infected computer can sniff out traffic between the Drupal CMS and the drupal.org servers, and detect when an update process is started.
The hacker can launch a simple MitM (Man-in-the-Middle) attack, spoof communications, and send malicious update packages to the CMS instead. Arnaboldi used the third flaw to backdoor a Drupal update on a test website. He packaged a reverse PHP shell that gave him access to the Web server running the CMS, and later extracted the MySQL database’s username and password (image below).
What is weird is that Drupal had known of this issue since 2012, but only recently reopened discussions on fixing the problem, after Arnaboldi made the announcement. It still does not have a fix but is apparently working on it.