Another Critical Flaw in Drupal Discovered — Update Your Site ASAP!

Haythem Elmir
0 1
Read Time1 Minute, 51 Second

Developers of Drupal—a popular open-source content management system software that powers millions of websites—have released the latest version of their software to patch a critical vulnerability that could allow remote attackers to hack your site.

The update came two days after the Drupal security team released an advance security notification of the upcoming patches, giving websites administrators early heads-up to fix their websites before hackers abuse the loophole.

The vulnerability in question is a critical remote code execution (RCE) flaw in Drupal Core that could « lead to arbitrary PHP code execution in some cases, » the Drupal security team said.

While the Drupal team hasn’t released any technical details of the vulnerability (CVE-2019-6340), it mentioned that the flaw resides due to the fact that some field types do not properly sanitize data from non-form sources and affects Drupal 7 and 8 Core.

It should also be noted that your Drupal-based website is only affected if the RESTful Web Services (rest) module is enabled and allows PATCH or POST requests, or it has another web services module enabled.

If you can’t immediately install the latest update, then you can mitigate the vulnerability by simply disabling all web services modules, or configuring your web server(s) to not allow PUT/PATCH/POST requests to web services resources.

« For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the « q » query argument. For Drupal 8, paths may still function when prefixed with index.php/. »

However, considering the popularity of Drupal exploits among hackers, you are highly recommended to install the latest update:

  • If you are using Drupal 8.6.x, upgrade your website to Drupal 8.6.10.
  • If you are using Drupal 8.5.x or earlier, upgrade your website to Drupal 8.5.11

Drupal also said that the Drupal 7 Services module itself does not require an update at this moment, but users should still consider applying other contributed updates associated with the latest advisory if « Services » is in use.

Drupal has credited Samuel Mortenson of its security team to discover and report the vulnerability.

Source: https://thehackernews.com/2019/02/hacking-drupal-vulnerability.html

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
100 %

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Laisser un commentaire

Next Post

New Attacks Against 4G, 5G Mobile Networks Re-Enable IMSI Catchers

At NDSS Symposium 2019, a group of university researchers yesterday revealed newly discovered cellular network vulnerabilities that impact both 4G and 5G LTE protocols. According to a paper published by the researchers, « Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information, » the new attacks could allow remote […]