Security vulnerability in unmaintained Drupal contrib module puts 120000 sites at risk

Submitted by dryer on Fri, 04/14/2017 - 16:32

Drupal referencesDrupal is known for it's large number of community contributed modules that add functionality to the bare bones core system. While the core system is actively maintained by the Drupal core security team, there is no such guarantee for the third party modules.

One such community contribution is "References", which is a module that allows adding references between nodes to provide for complex information architectures.

The module is currently used by over 120 000 individual Drupal installations, but is no longer maintained. The last update was done in February 2013. Unfortunately a critical security vulnerability in this references module has been reported by the Drupal core security team as SA-CONTRIB-2017-38:

Please note, the security team will not release information on this vulnerability for up to a month, the recommendation is to migrate. Emails asking for details on the vulnerability will not be responded to. If you would like to maintain the module, please follow the directions below.

They have reported the issue on the Drupal security site and keep details out of public the 30 days. This will be plenty of time for malicious parties to track down the issue in the source code. In the past the Drupal core has had high profile security issues, some even leading to the Panama Papers leak. They have been mitigated well by the security team, but because the core team is not supporting this module, they simply won't fix it. Instead they only recommend moving to another module that provides similar capability:

Notably, if you started with References and need to maintain equivalent functionality, we recommend reviewing the feature set of Entity Reference. If Entity Reference can work for you, there is a Reference to EntityReference Field Migration module that can assist in the transition.

With a critical issue in an unsupported module so widely used, it is almost guaranteed that a large number of sites will be subject to attacks using this as a vector. Given the tradition of Drupal doing big backward breaks with regards to compatibility, some sites might be difficult to upgrade. Upgrading an enterprise site heavily using References may simply be impossible and hopefully drive the module to be maintained by a corporate entity.

This issue comes at an unfortunate time when there is plenty of controversy over the Drupal project in general, over the sustainability of Drupal as an Enterprise platform as well as community governance over controversy of ousting key developers from the project. A dependency on unmaintained third party modules does not play well with the system's ambitions to take over the enterprise market. In this case, there is simply no responsible party left for this community extension.