The Drupal CMS team has fixed a highly critical security flaw that allows hackers to take over a site just by accessing an URL.
Drupal site owners should immediately —and we mean right now— update their sites to Drupal 7.58 or Drupal 8.5.1, depending on the version they’re running.
The Drupal team pre-announced today’s patches last week when it said « exploits might be developed within hours or days » after today’s disclosure.
The security flaw is indeed a severe one, with the Drupal team assigning it a severity score of 21 (on a scale of 1 to 25).
Drupal affected by unauthenticated RCE flaw
The bug —tracked under the CVE-2018-7600 identifier— allows an attacker to run any code he desires against the CMS’ core component, effectively taking over the site.
The attacker doesn’t need to be registered or authenticated on the targeted site, and all the attacker must do is to access an URL.
The Drupal community has already nicknamed this bug as Drupalgeddon2 after the Drupalgeddon security bug (CVE-2014-3704, SQL injection, severity 25/25) disclosed in 2014 that led to numerous Drupal sites getting hacked for years afterward.
No PoC available. No attacks detected (yet).
There is no public proof-of-concept or exploit code currently available online, but researchers have already started digging through the Drupal patches to determine what was patched.
Drupal developers credited Jasper Mattsson, an employee of Drupal security auditing firm Druid, for discovering the flaw.
The Drupal team says it was not aware of any attacks exploiting the flaw when they published their security alert, but everyone from the official Drupal team to independent security researchers expect this vulnerability to enter active exploitation within hours or days.
Patching should not be ignored. Even the main Drupal homepage was taken down today for half an hour to apply the Drupalgeddon2 patch.
To read the original artcile:https://www.bleepingcomputer.com/news/security/drupal-fixes-drupalgeddon2-security-flaw-that-allows-hackers-to-take-over-sites/