Drupal’s security team has fixed three vulnerabilities in the popular content management system’s core, one of which (CVE-2020-13663) could be exploited to achieve remote code execution.

What is Drupal?

Drupal is a free and open-source web content management system (CMS) and over a million sites run on various versions of it. The most recent stable version is 9.x, released earlier this month.

Vulnerabilities:

Three security holes have been plugged with the latest versions of Drupal core (9.0.1):

1) CVE-2020-13664 is the most critical one, but can be only triggered under certain circumstances.

2) CVE-2020-13665 is an access bypass flaw that can be exploited only on sites that have the read-only set to FALSE under jsonapi.settings configuration.

3) CVE-2020-13663 – also affects Drupal 7.x, the most widely used Drupal version (both according to Drupal and W3Techs).CVE-2020-13663 is a document object model-based cross-site scripting (DOM XSS) vulnerability that was unearthed by Checkmarx researcher Dor Tumarkin.“This type of XSS attack is achievable if a web application enters data to the DOM without being appropriately sanitized. In this case, an attacker can manipulate their input data to include XSS content on the web page, for example, malicious JavaScript code, which in-turn would be consumed by Drupal Core itself,” the company explained.

How attackers exploit the vulnerability:

CVE-2020-13664- “An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force remote code execution vulnerability,” Drupal’s security team explained, and added that Windows servers are most likely to be affected.

CVE-2020-13665 – The attacker can only exploit the vulnerability on the sites that have the read-only set to FALSE under jsonapi.settings.

CVE-2020-13663– “An attacker abusing this vulnerability can take over the administrator role of a Drupal-based website and get full control that allows changing of content, creating malicious links, stealing sensitive or financial data, or whatever else comes to mind.” .Therefore, it is vulnerable to remote code execution (RCE ).

Affected versions:

8.8. x, 8.9.x and 9.0.x.

Recommendations

It is recommended to consider the following best practices:

1. Admins of Drupal-based sites are advised to upgrade to Drupal v7.72, 8.8.8, 8.9.1 or 9.0.1.Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
2. Drupal v7.x is still maintained and receives security updates, but it will reach end-of-life in November of 2021, so admins that use it are urged to start planning the upgrade to a newer version, preferably 9.x
3. Keep Drupal and module up to date.
4. To Prevent Remote Code Execution:

• Try to blacklist special chars or function names.
• Pass any user controlled input inside evaluation functions or callbacks.