Home / Linux / Remote Code Execution Possible in Drupal

Remote Code Execution Possible in Drupal

On February 19, Drupal released a security advisory PSA-2019-02-19 (further amended by PSA-2019-02-22). The advisory contains information about a critical security flaw in Drupal 8.5 and 8.6 core. This flaw, classified as CVE-2019-6340, can be used for remote code execution (code injection). An exploit for this vulnerability has been released just a day later.

Blackhat hackers are currently using this vulnerability to attack unpatched websites. Some of the intercepted payloads included a cryptocurrency miner (CoinIMP for Monero and Webchain currencies) that is executed in the user’s browser when they visit an infected website. However, different payloads may be sent including web shells. This could lead to the attacker gaining full control over the victim’s website.

In the last year, several remote code execution vulnerabilities have been discovered in Drupal, including Drupalgeddon 2 and Drupalgeddon 3.

How To Protect Yourself

Scan all your Drupal sites using the latest release of Acunetix. If you don’t have Acunetix yet, get a demo version. Not all Drupal sites are vulnerable to CVE-2019-6340 but it’s better to be safe than sorry.

If you need a temporary quick fix for this vulnerability, you may disable the Drupal REST module. The original advisory stated that the vulnerability affects only POST/PATCH requests but it was quickly proven that even GET requests with no authentication can lead to remote code execution.

The only certain way to protect yourself against CVE-2019-6340 attacks is to upgrade your Drupal installation:

  • If you use Drupal 8.6, upgrade immediately to 8.6.10.
  • If you use Drupal 8.5, upgrade immediately to 8.5.11.
  • Independent of the Drupal core version that you use, install all security updates for contributed projects.

If you believe that your Drupal site has been hacked, it is not enough to just upgrade. To remediate, follow the official Drupal guide.

Tomasz NideckiTomasz Andrzej Nidecki Technical Content Writer
LinkedIn: https://mt.linkedin.com/in/tonid

Tomasz Andrzej Nidecki (also known as tonid) is a Technical Content Writer working for Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

x

Check Also

Announcing some security treats to protect you from attackers’ tricks

Google Online Security Blog: Open-sourcing Sandboxed API

Posted by Christian Blichmann & Robert Swiecki, ISE Sandboxing team Many software projects process data ...