Update Drupal ASAP: Over a million sites can be easily hacked by any visitor

A dangerous Drupal flaw could leave your site completely compromised if you don't patch the flaw immediately.
Written by Liam Tung, Contributing Writer

Video: The 2013 flaw that's still used to turn Linux servers into coin miners today

Developers of popular open-source CMS Drupal are warning admins to immediately patch a flaw that an attacker can exploit just by visiting a vulnerable site.

The bug affects all sites running on Drupal 8, Drupal 7, and Drupal 6. Drupal's project usage page indicates that about a million sites are running the affected versions.

Admins are being urged to immediately update to Drupal 7.58 or Drupal 8.5.1. Drupal issued an alert for the patch last week warning admins to allocate time for patching because exploits might arrive "within hours or days" of its security release. So far, there haven't been any attacks using the flaw, according to Drupal.

The bug, which is being called Drupalgeddon2, has been assigned the official identifier CVE-2018-7600.

Drupal has given it a 'highly critical' rating with a risk score of 21 out of 25 under the NIST Common Misuse Scoring System.

Although there are no security releases for the unsupported Drupal 8.3.x and 8.4.x, Drupal has released patches for quick remediation.

Download now: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness

Drupal warns that attackers can exploit the flaw through several avenues. Any visitor, regardless of privileges, can exploit the flaw by visiting an affected site and gain access to, modify and delete private data.

"This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised," Drupal notes.

The project says that only "drastic" configuration changes will mitigate the vulnerability and hence recommends installing the security release.

The problem lies in Drupal core and is caused by missing input validation.

"As of this release, Drupal strips out several potentially dangerous values from user-provided input," Drupal 7.58 and 8.4.6 release notes.

The 7.58 branch of Drupal includes one new file has and an update to a previously existing file, according to UK application security firm Appsecco.

"The '/includes' directory contains several .inc files that are called when Drupal is accessed to setup the server environment, server-side variables and handling of user-supplied data on the server," writes Appsecco's Riyaz Walikar.

"The new released version, 7.58, has a new file called 'request-sanitizer.inc' that contains functions to clean user input supplied through a GET, POST or a cookie."

"The underlying problem is that the Drupal core (much like other frameworks) accepts request parameters as array objects. A user can pass an array object to the application with the keyname containing the payload which Drupal would process without sanitization."

Previous and related coverage

Drupal patches critical CMS vulnerabilities

The bugs include incorrect code handling and access bypass security flaws.

Drupal patches critical access bypass flaw in engine core

Drupal has released security fixes to smooth over a serious access bypass vulnerability, among other bugs.

When it comes to technology we love, is it ever really obsolete?

Companies need to think hard about what to do with technologies that are old but still much loved.

Why the headless CMS could change the way businesses manage content forever(TechRepublic)

With the variety of ways that content is distributed, decoupling your website interface from the backend content management system can make your project more adaptable.

Editorial standards