A critical vulnerability has been fixed in Drupal
A week ago on March 28, Drupal Security Team announced patches that close the critical bug in security, relevant for all versions of Drupal 6.x, 7.x and 8.x. The vulnerability allows an attacker to gain access to the hosting server with the rights of the web server. Hacker don’t have exploit that exploits this vulnerability, but it is likely to appear in the very near future, therefore it is strongly recommended that all site owners on Drupal or those who support it maintain the update as soon as possible.
The vulnerability was assigned the identifier CVE-2018-7600; in terms of severity, it is estimated at 21 points out of 25 possible on its own scale of developers.
As noted in the FAQ section of the Drupal safety website, the use of this vulnerability does not require registration or authentication on the site, the attacker simply has to go to the page. As a result of the vulnerability , you can access any private information, and modify or delete system data (or data processed by the system).
Information on the use of CVE-2018-7600 in real attacks is currently not available, but you can expect that after the publication of exploits will appear in the coming days or even hours.
Previous Drupalgeddon, as they are called such vulnerabilities in the Drupal community – fraught with a SQL injection of CVE-2014-3704, announced in 2014 – the Hacker started attack after hours after the release of the patch.
The patches for the new “Drupalgeddon” are included in the releases of Drupal 7.58 and Drupal 8.5.1, it is recommended to update immediately. If this option is not available, you can use the fix that was released for both Drupal 7.x and Drupal 8.5.x, but you still need to update to fully protect it.
As promised, Drupal 8.3.x and 8.4.x also received updates – 8.3.9 and 8.4.6, as well as individual patches. Users of these CMS are advised to upgrade in the future. If the site uses Drupal 8.2.x or lower, it should be translated to a newer version, and then install the patch.
The new problem is also characteristic of Drupal 6, whose support period expired in February 2016. Users of this version of the CMS should contact the vendor who is a member of the long-term support program (D6LTS).
If patching is postponed for some reason, the exploit can theoretically be prevented by changing the configuration – only modules with default or commonly used settings are vulnerable.
You can also temporarily replace the vulnerable Drupal site with a static HTML page to protect it from visitors with bad intentions. But it’s best to immediately install a full patch, as the developers of Drupal did, disabling their home page for half an hour.
According to statistics Drupal.org, now this CMS-system uses more than 1 million sites on the Internet. Total patching with such an audience can not be carried out in a short time, but Drupalgeddon 2 – the threat is more than serious.