Another day, another critical vulnerability. That’s the life cycle of content management systems (CMS) WordPress and Drupal — just over a week into the new year, and already big problems have been found in both popular tools. As noted by SecurityWeek, WordPress 4.4.1 patches a worrisome cross-site scripting (XSS) issue, while problems with the update manager in Drupal 7 and 8 remain at large. Here’s a rundown of 2016’s first content management flaws.
Big Fix, Limited Data
According to US-CERT, it’s a good idea for users to patch version 4.4 of WordPress up to 4.4.1 since all earlier versions are subject to a XSS vulnerability that could give remote attackers total website control. The flaw was reported to parent company Automattic via a Philippines-based security researcher known only as Crtc4L. Obviously the problem was serious enough to warrant action since Automattic quickly rolled out its first update for version 4.4 and paid out an undisclosed sum to Crtc4L.
As for the flaw itself, however, little is known beyond its status as a XSS issue, likely to ensure users have enough update lead time and aren’t caught with a vulnerable CMS when the details go public. Good news? There’s already a fix in the wild. Not-so-good news? Without the details, it’s hard for security experts to weigh in on exactly how effective this fix is and whether there are any ways around the repair.
Unfortunate Updates for CMS
While WordPress still rules the CMS playground, Drupal is no slouch either, powering the Web presence of brands such as Virgin, Entertainment Weekly and NBC Sports. According to CSO Online, however, there are serious security risks surrounding the update mechanism of Drupal versions 7 and 8.
It all starts with a seemingly minor issue: If Drupal users are experiencing network trouble, update checks won’t report the problem and will still list the CMS as fully updated even if a patch is available. Users can still seek out updates using the Check Manually button on the Available Updates page, but as noted by IOActive researcher Fernando Arnaboldi, this introduces problems with cross-site request forgery (CSRF), server-side request forgery (SSRF) and man-in-the-middle (MitM) attacks. Drupal developers have announced they’re working on a fix for the CSRF and status update vulnerabilities, according to SecurityWeek.
The SSRF issue only affects Drupal 7. If exploited, cybercriminals can trick administrators into sending unlimited requests to the Drupal update server and quickly consume available bandwidth. The more serious MitM attack is made possible because updates don’t come encrypted by HTTPS in both Drupal 7 and 8. Cybercriminals could create and then serve up a seemingly legitimate version of Drupal that in fact contained backdoor, remote-access controls.
There’s some good news here since users must actively agree to download and install the file, but the flaw also lets malicious actors modify the Available Updates page to make it appear as though the version of code is not only the newest, but also necessary for complete security. Update problems aren’t new to Drupal — many have been around since 2012 — but these new flaws have sparked a fresh look at the CMS.
Bottom line? It’s not easy being a CMS; attackers never tire of looking for new ways to break or compromise WordPress and Drupal. If the rest of 2016 looks anything like the first week, expect a patch-intensive year for both these popular tools.