Connect with us


Drupal Warns of Two Critical Vulnerabilities



Drupal Warns of Two Critical Vulnerabilities

Drupal announced two vulnerabilities affecting versions 9.2 and 9.3 that could allow an attacker to upload malicious files and take control of a site. The threat levels of the two vulnerabilities are rated as Moderately Critical.

The United States Cybersecurity & Infrastructure Security Agency (CISA) warned that the exploits could lead to an attacker taking control of a vulnerable Drupal-based website.

CISA stated:

“Drupal has released security updates to address vulnerabilities affecting Drupal 9.2 and 9.3.

An attacker could exploit these vulnerabilities to take control of an affected system.”


Drupal is a popular open source content management system written in the PHP programming language.

Many major organizations like Smithsonian Institution, Universal Music Group, Pfizer, Johnson & Johnson, Princeton University, and Columbia University use Drupal for their websites.

Form API – Improper Input Validation

The first vulnerability affects Drupal’s form API. The vulnerability is an improper input validation, which means that what is uploaded via the form API is not validated as to whether it is allowed or not.


Validating what is uploaded or input into a form is a common best practice. In general, the input validation is done with an Allow List approach where the form expects specific inputs and will reject anything that does not correspond with the expected input or upload.

When a form fails to validate an input then that leaves the website open to the upload of files that can trigger unwanted behavior in the web application.

Drupal’s announcement explained the specific issue:

“Drupal core’s form API has a vulnerability where certain contributed or custom modules’ forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.”

Drupal Core – Access Bypass

Access bypass is a form of vulnerability where there may be a way to access to a part of the site through a path that is missing an access control check, resulting in some cases a user being able to gain access to levels they don’t have permissions for.

Drupal’s announcement described the vulnerability:

“Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content.”

Publishers Encouraged to Review Security Advisories and Apply Updates

The United States Cybersecurity and Infrastructure Security Agency (CISA) and Drupal encourage publishers to review the security advisories and update to the latest versions.


Read the Official CISA Drupal Vulnerability Bulletin

Drupal Releases Security Updates

Read the Two Drupal Security Announcements

Drupal core – Moderately critical – Improper input validation – SA-CORE-2022-008


Drupal core – Moderately critical – Access bypass – SA-CORE-2022-009

Source link

See also  ThirstyAffiliates WordPress Plugin Vulnerabilities


What Happens When Google Picks The Wrong Canonical URL?



What Happens When Google Picks The Wrong Canonical URL?

Despite your best effort to implement canonical tags, Google won’t always choose the same URL to display in search results. How can this be fixed?

This topic is addressed by Google Search Advocate John Mueller in a Reddit thread on the r/TechSEO forum.

An individual asks why Google is displaying the wrong URL in search results, even though they’re making every effort to indicate which page should be displayed.

In addition to canonical tags, this individual is using hreflang tags, and sitemaps, and has the correct settings configured in Google Search Console.

Google continues to display a different URL in search results.

Mueller first explains why Google isn’t displaying the intended URL and describes what can be done to get Google surfacing a different page.

Canonical Tags: Why Isn’t Google Displaying The Correct URL?

A canonical tag sends a signal to Google indicating which URL is the correct one to show in search results when you have similar pieces of content.


In this particular example, the Reddit user notes they’re dealing with a brand’s website that has multiple country code top-level domains (ccTLDs).

Instead of displaying in Canadian search results, for example, Google is displaying instead.

There are multiple reasons why this is happening.

Duplicate Content Leading To Wrong Canonicals

The Reddit user believes the pages across domains are different enough to not be seen as duplicate content. However, Mueller informs him otherwise.

Mueller says Google sees the pages as duplicates and indexes only one version in search results, dropping the others from its index.

“What’s happening here is that these pages are overall significantly similar, so that Google de-duplicates them by indexing a canonical version. However, with the hreflang annotations, the correct URL is still shown in the search results (at least where the hreflang is recognized, etc).”

Interesting to learn hreflang is what helped ensure the correct URL was shown in certain cases.

Page Titles Leading To Wrong Canonicals

Mueller notes the way the Reddit user has their page titles written could be confusing to Google.

When dealing with a website that has multiple ccTLDs, Mueller suggests keeping the domain extension out of page titles.


“One confusing part here is that your page titles use compantyname.TLD. This means the URL shown is the version, but the title includes You can fix that by changing the page titles to just use Companyname.”

How Do You Fix An Issue With Wrong Canonicals?

There’s no easy fix to this one. It’s not simply a matter of adding more tags or changing page titles.

If you want to prevent Google from de-duplicating your pages in search results then you have to make the content significantly different.

Mueller states in the Reddit thread:

“If you wanted to change the indexing / canonicalization here, you’d have to make sure that the pages are significantly different, not just a bit different.”

Is This A Major Problem?

While it may be distressing to see Google displaying the wrong URL in search results, Mueller says this is not an urgent problem.

There’s no disadvantage when it comes to search rankings, and Google Search Console reports are the same as they would be if your preferred URL was selected.

“Despite what Search Console says, the position, impressions, and clicks of these URLs will be fine. They will appear the same way as if the actual URL were also selected as canonical. There’s no ranking disadvantage to things being indexed like this — and there’s an advantage of there being fewer URLs that need to be crawled & refreshed across your sites (faster inventory updates, etc).”

To be clear, The above statement applies to domain properties you own.

If you want Google to index and display your chosen canonical URL, the solution is to make the content different from the page Google is choosing to display instead.

When it comes to fixing the issue, Mueller suggests it might not be worth the effort.


“Given that the search results would essentially be the same, I don’t know if that’s really worthwhile for you — at least it probably wouldn’t be an urgent problem to solve.”

Source: Reddit

Featured Image: fizkes/Shutterstock

fbq('trackSingle', '1321385257908563', 'ViewContent', { content_name: 'what-happens-when-google-picks-the-wrong-canonical-url', content_category: 'news seo' }); }

Source link

See also  WordPress All In One SEO Plugin Integrates Microsoft Clarity
Continue Reading

Subscribe To our Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address