Drupal has released an update which corrects a critical vulnerability in the Drupal CMS.
Drupal is a free and open-source content management framework and provides the back-end framework for approximately 2.3% of websites worldwide.
The improper sanitisation of data in certain field types caused the vulnerability to arise. A hacker could exploit the vulnerability (CVE-2019-6340) to execute arbitrary PHP code. Exploitation of the vulnerability is possible if the core RESTful Web Services module is enabled and PATCH and POST requests are allowed. A hacker could also enable other web services modules, such as JSON:API in Drupal 8, or Drupal 7, if Services or RESTful Web Services, to then exploit the vulnerability.
Drupal states that users do not need to update their Drupal 7 Services module, although the recent update does need to be applied if Services is in use as the update includes several other critical fixes. Users whose site has the Drupal 8 core RESTful Web Services module enabled and allow PATCH and POST requests should upgrade as soon as possible.
Users of Drupal 8.6.x should upgrade to Drupal 8.6.10 and users of Drupal 8.5.x, and earlier versions should upgrade to Drupal 8.5.11. Drupal has advised users that earlier versions than Drupal 8.5.x are not supported and Drupal shall not be issuing further security updates. After updating Drupal core, available security updates for contributed projects should be performed.
Drupal advises users who cannot update their systems to disable all web services and to configure the web server not to accept PUT/PTACH/POST requests to web services resources. If users opt for this route, they should be aware that web services resources may be available on multiple paths. Drupal 7 resources are typically available via paths (clean URLs) and arguments to the “q” query argument. Drupal 8 paths could still function when prefixed with index.php/.
Hackers have been known to exploit Drupal vulnerabilities on unpatched sites soon after security updates are issued. It is therefore strongly recommended to apply the updates as soon as possible. There have been several cases of unpatched sites being attacked to install cryptocurrency miners, RATs, and other malicious content.