Drupal CMS vulnerability allows hackers to gain complete control of your website

A vulnerability discovered in a popular content management system ( Drupal ) could leave nearly 1 million websites open to attack if left unpatched.

The vulnerability enables various attack points and could grant hackers complete control of a website. The vulnerability exists within Drupal 6.x, Drupal 7.x, and Drupal 8.x.

The vulnerability relates to a conflict between how PHP handles arrays in parameters, and Drupal’s use of the hash (#) in at the beginning of array keys to signify special keys that typically result in further computation, leading to the ability to inject code arbitrarily, according to Drupal’s security advisory. Exploiting this vulnerability does not require any authentication, only visiting a page with a maliciously-crafted URL is necessary.

Jasper Mattsson of development house Druid found the vulnerability in Drupal, dubbed as SA-CORE-2018-002, as part of Drupal’s routine security examination. The Drupal team doesn’t go into specifics but merely state that hackers could compromise a Drupal-based site. So far, there is no known exploit to take advantage of this vulnerability, thus site-based sabotage is merely theoretical for now. 

Based on the company’s in-house scoring system, here is what the vulnerability covers: 

  • All non-public data is accessible
  • All data can be modified or deleted
  • Default or common module configurations are exploitable, but a config change can disable the exploit 

 

Here is  Drupal’s update schedule to fix the vulnerability: 

Version  Status  Solution 
Drupal 6.x  End of Life  Contact a D6LTS vendor 
Drupal 7.x  Active  Upgrade to Drupal 7.58 or
install this patch. 
Drupal 8.3.x  Not supported  Upgrade to Drupal 8.3.9 or
install this patch. 
Drupal 8.4.x  Not supported  Upgrade to Drupal 8.4.6 or
install this patch. 
Drupal 8.5.x  Active  Upgrade to Drupal 8.5.1 or
install this patch. 

 

 

%d bloggers like this: