Drupal, one of the world’s most popular open-source content management software, has released the latest version of their software containing a patch to fix a critical flaw.
The vulnerability which is a remote code execution flaw could expose tens of thousands of websites to Drupalgeddon, a term coined for the severity of the flaw.
The flaw was discovered by Samuel Mortenson, one of the company’s security experts. He announced that the vulnerability is not being exploited in the wild currently and no exploit code had emerged on their systems. He, however, noted that it is a matter of time before one emerges in the near future.
While the security expert didn’t release the technical detail of the vulnerability (tracked as CVE-2019-6340), he stated that the flaw is due to some field types not being able to sensitize data from non-form sources properly. This could further lead to arbitrary PHP code execution.
He also stated that this flaw affects Drupal 7 and 8 Core. Hackers could exploit this vulnerability to hijack a Drupal site and take control of a web server.
Sites would only be affected if the RESTful web services are enabled and permit POST or PATCH requests, a third party web service enabled like JSON:API in Drupal 8.
Drupal users are therefore advised to download and patch the updates for their Drupal Core. For Drupal 8.6.x and 8.5.x websites, admins are encouraged to download and install Drupal 8.6.10 and 8.5.10 respectively.
Admins are also advised to install updates to third-party Drupal projects like Metatag, Video, Link, Translation Management Tool, Paragraph, Font Awesome Icons, and RESTful web services. No update is required for Drupal 7 Core; its third-party modules would only require updates.
The software company has advised that if a quick update is not possible, admins should not permit their web servers to allow PUT, POST or PATCH requests.