The Drupal team has issued a security advisory revealing a critical vulnerability in the References module. References is currently unmaintained and it’s unlikely the vulnerability will be fixed. Drupal users who depend on References should find an alternative as soon as possible.
Drupal is a popular content management system. It’s estimated that Drupal powers about 2% of the web, which is impressive for a CMS that isn’t WordPress. Drupal is a richly featured PHP content management system that can be used to build sites ranging from blogs to enterprise sites with complex content management requirements.
Drupal is a modular CMS that provides additional functionality via third-party modules. The References module is used on an estimated 120,000 Drupal sites. References provides the ‘node_reference’ and ‘user_reference’ field types, but, in spite of its popularity, References is no longer maintained by its developer or supported by Drupal.
References being unsupported is reason enough to replace it as soon as possible, but the recently discovered vulnerability makes moving from References even more pressing. Crossing your fingers and waiting for a fix isn’t an option because it’s unlikely a fix will be forthcoming. Problems of this sort are why security experts advise site owners not to use unmaintained software. Even if it provides exactly the functionality you need, it will become a security and compatibility liability eventually.
Specific details of the vulnerability haven’t been disclosed, but its existence has been widely publicized, which means criminals are almost certain to have taken a close look at the code and discovered the vulnerability. Although in the absence of details, it’s hard to say exactly how serious the vulnerability is, it’s a good bet that References contains code that should be immediately removed from every Drupal site.
In fact, that’s the advice given by the Drupal team: uninstall the References module immediately.
If you rely on functionality provided by References, you should take a look at the Entity Reference plugin, which provides some of the same features.
It should be stressed that this vulnerability is not a problem with Drupal core. The only Drupal installations impacted by this vulnerability are those that use the References module.
In better news, the most recent version of Drupal, Drupal 8.3.0, was released earlier this month with a host of new features and enhancements, including improvements to the editing experience. The headline feature of Drupal 8.3.0 is the inclusion of BigPipe, a page rendering strategy first developed at Facebook which has the potential to greatly improve the rendering time of pages with content that can’t be cached.