This post aims to throw light on the recent flaws discovered in Drupal that exposed it to hackers. The Drupal CMS team has fixed a highly critical security flaw that allows hackers to take over a site just by accessing an URL. This means that Drupal site owners should immediately update their sites to Drupal 7.58 or Drupal 8.5.1, depending on the version they’re running.
The Drupal team pre-announced the recent patches last week when it said “exploits might be developed within hours or days” after the disclosure. This security flaw is indeed a severe one, with the Drupal team assigning it a severity score of 21 (on a scale of 1 to 25).
Drupal affected by unauthenticated RCE flaw
The bug —tracked under the CVE-2018-7600 identifier— allows an attacker to run any code he desires against the CMS’ core component, effectively taking over the site.
The attacker doesn’t need to be registered or authenticated on the targeted site, and all the attacker needs to do is access the URL.
The Drupal community has already nicknamed this bug as Drupalgeddon2 after the Drupalgeddon security bug (CVE-2014-3704, SQL injection, severity 25/25) disclosed in 2014 that led to numerous Drupal sites getting hacked for years afterward.
The Drupal team says it was not aware of any attacks exploiting the flaw when they published their security alert, but everyone from the official Drupal team to independent security researchers expect this vulnerability to enter active exploitation within hours or days. Patching should not be ignored.
EOLed Drupal 6 also affected
Besides fixes for Drupal’s two main branches —7.x and 8.x— the Drupal team announced patches for the ancient 6.x branch that was discontinued in February 2016.
Web firewall products are expected to receive updates in the following days to handle exploitation attempts.
What Drupal site owners can do
Drupal developers recommend patching first, but if this isn’t possible, apply mitigation solutions such as temporarily replacing a Drupal site with a static HTML page, so the vulnerable Drupal site would not serve the vulnerable URLs to visitors.
In addition, it is highly recommended that all staging and in-dev Drupal installations should be updated or taken down completely until the patch can be applied.
For more information on this, head over to https://www.drupal.org/security