TechGuard Blog

Critical Vulnerability in Drupal Disclosed - Active Exploits Found in Wild

Drupal is one of the most popular Content Management Systems (CMS) around, allowing users to build custom websites with ease using thousands of themes and plugins.  The rich features of the software attract a lot of organizations to use the platform for both internal and external web presence, online stores, blogs, etc.…

Of course, as we’ve seen time and time again (especially with CMS), vulnerabilities that are discovered are quick to be weaponized by bad actors looking to target those organizations.

What Vulnerability Was Discovered?

A remote code execution (RCE) vulnerability was discovered by Samuel Mortenson from the Drupal security team.  An RCE is just about as bad as a vulnerability gets as it allows an attacker to run their own code or commands on the target server.  For example, an attacker could output the /etc/shadow and /etc/passwd files on a Linux server to steal password hashes or even install a remote access tool to gain persistent access to the server. 

According to the advisory by Drupal, the vulnerability exists because “Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases.” 


Who is Affected?

Technically speaking this vulnerability affects:

  • Sites running Drupal 8 core RESTful Web Services and allows GET, PATCH, or POST HTTP requests


  •   Sites that have another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7

That said, Drupal has had a rough few years and there have been several very critical vulnerabilities including:


PHP Proxy Vulnerability - CVE-2016-5385

Drupalgeddon 2 - CVE-2018-7600

Drupalgeddon 3 - CVE-2018-7602


These vulnerabilities represent the worst of the worst for Drupal, however, there have been other vulnerabilities disclosed that require patches and validation testing as well.

To make matters worse within about a day after the vulnerability was disclosed the patch was reverse engineered, a proof of concept was published, and now researchers at Imperva have discovered that the attack is already being used in the wild.  This is bad news for Drupal users as it greatly increases the urgency of patching and validation efforts.


TechGuard Solutions:

TechGuard Security can test for all the Drupal vulnerabilities mentioned in this blog and more.  We provide organizations with a detailed report that focuses on risk and remediation so that your business can decide where to focus its efforts and how best to resolve these issues. 

Our goal is to continually improve your organization’s security program and we do that by creating long-term relationships.  Take a look at our service offerings and contact us today so that we can set up a Vulnerability Assessment for this and other vulnerabilities, as well as provide you with a practical remediation plan.

Written by Zach Turpen