Drupal developers have announced the release of updates 7.69, 8.7.11 and 8.8.1, containing patches for several vulnerabilities. The most serious of them is present in the third-party Archive_Tar library – the CMS-system uses it to archive files whose contents require PHP interpretation.
According to the bulletin , this problem is actually a whole bunch of vulnerabilities. Operation is only possible if the Drupal settings allow the downloading and processing of files in the format .tar, .tar.gz, .bz2 or .tlz.
The cause of the vulnerability is the incorrect unpacking of archives with symbolic links . This feature allows you to overwrite critical files on the server by downloading a malicious tar file.
The use of symlinks to increase privileges in the system last summer was demonstrated twice by independent researcher Vasily Kravets, and his colleague published his PoC code on GitHub. As a result, ThinkShout programmer Sam Mortenson advised Archive_Tar developers to add an option to block the processing of symlink files. The recommendation was accepted, and in early December, such an opportunity appeared with the release of version 1.4.9 of the library.
Now this innovation is also available to Drupal users: CMS developers updated Archive_Tar in all supported branches (7.x, 8.7.x and 8.8.x). It is worth noting that they had to make a similar replacement about a year ago in order to protect sites from attacks through another vulnerability in the same library – CVE-2018-1000888.
Three other issues fixed in Drupal are less dangerous and affect only version 8 of the kernel:
- denial of service through violation of the integrity of the contents of the cache; in the absence of a patch, risks can be reduced by blocking access to the install.php file;
- circumvention of restrictions on access to media files; as a temporary protection measure, it is proposed to disable the Advanced UI mode for the Media Library module in the settings (only possible in the 8.8.x branch);
- bypassing protection means by downloading a file whose name begins with a dot or ends with it.