'You're updated!' Drupal says, with fingers crossed behind back
Next Drupalgeddon is really gunna sting
Drupal installations could be out of date and open to attack thanks to a borked update process that flags unpatched platforms as current.
The popular content management system is used by more than a million sites making it a significant target for hackers.
Indeed, in October 2014 attackers took mere hours to compromise untold piles of sites whose admins had failed to apply a patch against a dangerous SQL injection flaw.
Drupal at the time went as far as to proclaim all unpatched sites are considered compromised unless patches were immediately applied.
All new Drupal installs are affected by the borked update mechanism and fixes are not yet available. Drupal has been informed of the risk.
IOActive research man Fernando Arnaboldi says sites are now at risk of future attack because Drupal 7 and 8 platforms are being marked as up-to-date, even if the automated patching process fails due to dead internet links.
"Whenever the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning," Arnaboldi says.
"The issue was due to some sort of network problem.
"...in Drupal 6 there was a warning message in place, but this is not present in Drupal 7 or Drupal 8."
Arnaboldi finds other flaws including that the update process is made over HTTP instead of HTTPS opening the possibility for man-in-the-middle attacks over public networks.
Those network lurkers could, thanks to a known cross-site request forgery hole in Drupal versions below 8, trigger a manual update pointing to their backdoored version of the platform.
They could also cause installations to issue infinite update requests, chewing bandwidth.
Failures to verify the legitimacy of downloaded updates could also lead to remote code execution, according to Arnaboldi. ®