Jump to content
Nytro

Another Critical Flaw in Drupal Discovered — Update Your Site ASAP!

Recommended Posts

Another Critical Flaw in Drupal Discovered — Update Your Site ASAP!

 
February 21, 2019
hacking drupal vulnerability
 

Developers of Drupal—a popular open-source content management system software that powers millions of websites—have released the latest version of their software to patch a critical vulnerability that could allow remote attackers to hack your site.

The update came two days after the Drupal security team released an advance security notification of the upcoming patches, giving websites administrators early heads-up to fix their websites before hackers abuse the loophole.

The vulnerability in question is a critical remote code execution (RCE) flaw in Drupal Core that could "lead to arbitrary PHP code execution in some cases," the Drupal security team said.

While the Drupal team hasn't released any technical details of the vulnerability (CVE-2019-6340), it mentioned that the flaw resides due to the fact that some field types do not properly sanitize data from non-form sources and affects Drupal 7 and 8 Core.

It should also be noted that your Drupal-based website is only affected if the RESTful Web Services (rest) module is enabled and allows PATCH or POST requests, or it has another web services module enabled.

If you can't immediately install the latest update, then you can mitigate the vulnerability by simply disabling all web services modules, or configuring your web server(s) to not allow PUT/PATCH/POST requests to web services resources.

"Note that web services resources may be available on multiple paths depending on the configuration of your server(s)," Drupal warns in its security advisory published Wednesday.

"For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the "q" query argument. For Drupal 8, paths may still function when prefixed with index.php/."


However, considering the popularity of Drupal exploits among hackers, you are highly recommended to install the latest update:

  • If you are using Drupal 8.6.x, upgrade your website to Drupal 8.6.10.
  • If you are using Drupal 8.5.x or earlier, upgrade your website to Drupal 8.5.11

Drupal also said that the Drupal 7 Services module itself does not require an update at this moment, but users should still consider applying other contributed updates associated with the latest advisory if "Services" is in use.

Drupal has credited Samuel Mortenson of its security team to discover and report the vulnerability.
 
Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

 

Sursa: https://thehackernews.com/2019/02/hacking-drupal-vulnerability.html?m=1

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...