Millions of Web Sites Threatened by an Extremely Critical Code Runtime Bug in Drupal

Millions of sites using the Drupal content management system run the risk of being hijacked until they are fixed against a vulnerability that allows hackers to remotely execute malicious code, warned Wednesday. open source project.

CVE-2019-6340, when tracking the flaw, arose from a lack of sufficient validation of user inputs, officials said in a notice. Hackers who exploit this vulnerability could, in some cases, run the code of their choice on vulnerable Web sites. The fault is considered very critical.

"Some types of fields do not clean up data from non-formal sources properly," said the warning. "This can lead to the execution of arbitrary PHP code in some cases."

In order for a site to be vulnerable, one of the following conditions must be met:

• It has enabled the Drupal 8 (REST) ​​Basic RESTful Web Services Module and allows PATCH or POST requests or queries.
• Another web services module is enabled, such as JSON: API in Drupal 8, or RESTful Web Services or Services in Drupal 7.

Project managers urge vulnerable Web site administrators to make an immediate update. For sites running version 8.6.x, this involves upgrading to 8.6.10 and sites running 8.5.x or an earlier upgrade to 8.5.11. Sites must also install the security updates available for projects made after the Drupal kernel update. No major updates are required for Drupal 7, but several modules contributed to Drupal 7 require updates.

Popular hacking target

Drupal is the third most used content management system after WordPress and Joomla. With approximately 3 to 4% of the websites of more than one billion people in the world, Drupal manages tens of millions. The critical vulnerabilities of all CMS are popular among hackers, because vulnerabilities can be triggered against a large number of sites with a single script, often easy to write.

In 2014 and again last year, hackers were quick to exploit extremely critical vulnerabilities in code execution soon after their resolution by Drupal project managers. The last year's "Drupalgeddon2" vulnerability was still exploited six weeks after being corrected, indicating that many sites run on Drupal have not considered the urgent need to fix.

At the time this message was posted, there is no indication that the latest Drupal vulnerability has been actively exploited in nature. This is obviously subject to change. This article will be updated if new information becomes available.