The Drupal team released last night new versions of their CMS, which address ten security vulnerabilities discovered in all three major branches (6.x, 7.x, and 8.x).
Out of the ten vulnerabilities, based on their severity, one bug was rated critical, six as moderately critical, and three as less critical.
The vulnerability labeled as critical affected only version 6 and was an authentication bypass issue that allowed non-admin members to interact with admin-only buttons.
Drupal XML-RPC service can be abused for brute force attacks, just like in WordPress
Vulnerabilities labeled as critical included a file upload bypass that caused a local denial of service (versions 7 and 8) and an open redirect issue on the 404 error page that rerouted users to malicious links (versions 6, 7, and 8).
Additionally, the team also patched an issue that in the past also affected WordPress sites. Apparently, the Drupal CMS also includes an XML-RPC service that can be abused in the same way as in WordPress, to amplify brute-force attacks on the admin login page (versions 6 and 7). This has been hardened to prevent such exploitation.
Other moderately critical bugs fixed include an HTTP header injection using line breaks (version 6), another open redirect issue via double-encoded “destination” parameters (version 6), and a reflected file download issue (versions 6 and 7).
Less critical issues included a bug that granted some users accounts extra privileges (version 6 and 7), a bug that unserialized user-provided data during transport due to session data truncation (version 6), and a bug that allowed users to log in using their email address instead of their username (versions 7 and 8).
Drupal 6 reaches End Of Life (EOL)
All these issues have been fixed in Drupal versions 8.0.4, 7.43, and 6.38, available for download today, on Drupal’s website, their GitHub repo.
Additionally, the Drupal team has also reminded their users that, yesterday, February 24, 2016, branch 6.x of their project officially reached EOL status (End Of Life).
This means that, except urgent bug fixes, version 6 won’t receive any new features or support from the Drupal team.