Friday, February 22, 2019

Multiple Critical Flaws in Drupal Discovered — Update Your Drupal Site ASAP!

Drupal Developer team has released the latest version of their software to patch a very critical vulnerability that could allow remote attackers to hack your site. Drupal, a popular open-source content management system software powers millions of websites, including two of ours.

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003

Project: 
Date: 
2019-February-20
Vulnerability: 
Remote Code Execution
CVE IDs: 
CVE-2019-6340
Description: 
Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.
A site is only affected by this if one of the following conditions is met:
  • The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or
  • the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.
(Note: The Drupal 7 Services module itself does not require an update at this time, but you should still apply other contributed updates associated with this advisory if Services is in use.)
Solution: 
Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.
To immediately mitigate the vulnerability, you can disable all web services modules, or configure your web server(s) to not allow PUT/PATCH/POST requests to web services resources. Note that web services resources may be available on multiple paths depending on the configuration of your server(s). For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the "q" query argument. For Drupal 8, paths may still function when prefixed with index.php/.
Reported By: 

No comments: