The Drupal Core Team has recently resolved several security vulnerabilities in the Drupal core platform. They have ranked the potential risks as “Moderately Critical.” We recommend Drupal users update their version as soon as possible in order to mitigate the possibility of malicious attacks that take advantage of these flaws.
There are separate updates for Drupal users running both 7x, and for those still using 6x versions of Drupal. These update releases are Drupal 7.27 and Drupal 6.31, respectively.
These maintenance updates address security flaws that allow the scraping of information through the Drupal form state.
According to the release notes, “Drupal’s form API has built-in support for temporary storage of form state, for example user input. This is often used on multi-step forms, and is required on Ajax-enabled forms in order to allow the Ajax calls to access and update interim user input on the server.”
The vulnerability may lead to a leak of information between anonymous users. This means there is the possibility of information entered by one anonymous user leaking to another, “which may include sensitive or private information, depending on the nature of the form.”
This vulnerability is most likely to affect contributed modules or individual sites which leverage the Drupal Form API.
It is important to note, the announcement emphasizes, that “this security release introduces small API changes to the Drupal core platform. This may require updates on sites or modules that expose Ajax or multi-step forms to anonymous users, and where the forms are displayed on pages that are cached.”
For more information on the new Drupal 7.27 and 6.31 releases, you can visit the official announcement notice from the Drupal.org team here
. For more details on the specific security vulnerabilities addressed, you can read the official security advisory release from the Drupal core team here
. Release notes for Drupal 7.27 can be viewed here
, and 6.31 here
As always, if you have any questions about setting up your own site’s updates, don’t hesitate to call a member of our support team. And if you’d prefer to let us completely handle your site upgrade, we’ll be happy to help.