Hacking Drupal websites via tar files. Critical vulnerability

On many occasions users forget to update their websites or blogs based on the most popular content management systems (CMS). In the cybersecurity community, they consider that, the worst thing in these cases is that administrators update until news about vulnerabilities that compromise the integrity of their web platforms emerges; this seems to be the case.

Drupal CMS developers have just announced the release of major security updates designed to fix a critical vulnerability, in addition to three medium severity vulnerabilities recently detected on their central systems.

Security firms and Independent cybersecurity experts consider Drupal-powered websites as one of the main targets of malicious hacker attacks, so website administrators are strongly advised to install the latest version of Drupal to prevent the risk of exploitation of this flaw.

On the critical vulnerability, the description of the update mentions that patches for various vulnerabilities are included in a third-party library known as ‘Archive_Tar’, used by Drupal Core to create, list, extract, and add files to tar folders.

The flaw exists because of the way the affected library decompresses files with symbolic links. If exploited, the vulnerabilities would allow a threat actor to overwrite sensitive files on the target server, uploading a tar file created for malicious purposes. It is important to mention that the vulnerability only affects Drupal websites configured to process .tar, .tar.gz, .bz2, or .tlz files that might be uploaded by an unauthorized user.

In their report, Drupal’s developers mentioned that there is already a proof of concept for exploiting these flaws. This factor, together with the number of exploits for websites in Drupal that already existed before, makes it highly likely that the vulnerability has already been exploited in the wild, so updating is highly necessary, experts in cybersecurity mentioned.

Regarding the three lower-risk security flaws, which also resided in Drupal Core, the CMS developers mentioned a few details:

  • Denial of Service (DoS): The install.php file used by Drupal 8 Core contains a vulnerability that could be exploited to cause service failure, corrupting a website’s cache data. Exploiting this flaw does not require authentication, cybersecurity experts say
  • Security restrictions bypass: During file upload in Drupal 8 the system skips removing some characters, so file names can be used by a hacker with the ability to upload files to overwrite files in the system arbitrarily, especially .htaccess, which would grant them the ability to evade system protections
  • Unauthorized access: The default Drupal Media Library module does not correctly restrict access to certain settings, so a user with reduced privileges would gain unauthorized access to sensitive details

Specialists at the International Institute of Cyber Security (IICS) mention that, due to the existence of the exploit proof of concept, it is vital that website administrators in Drupal upgrade to the latest version as soon as possible.