This article is more than 1 year old
No RESTful the wicked: If your website runs Drupal, you need to check for security updates – unless you enjoy being hacked
PUT, PATCH, POST, PWNED!
Website admins are today urged to update their Drupal installations following the disclosure of a potentially serious vulnerability in the web publishing software. And when we say potentially serious, we mean, someone can potentially hack and hijack your site via this flaw.
The security hole, designated CVE-2019-6340, is a remote-code-execution flaw caused by Drupal neglecting to properly check data from RESTful web services.
A successful exploit of the vulnerability would allow a hacker to remotely run malicious code on the targeted website's server, effectively commandeering the site. Drupal has classified the bug as "highly critical," and recommends admins patch the flaw ASAP.
"Some field types do not properly sanitize data from non-form sources," Team Drupal said in disclosing the vulnerability. "This can lead to arbitrary PHP code execution in some cases."
A website is open to attack if it is powered by Drupal 8 core with the RESTful Web Services (rest) module enabled, and it handles PATCH or POST requests, or the site has another web services module enabled, such as JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.
For those running Drupal 8, the vulnerability can be patched by updating to version 8.6.10 or 8.5.11. Earlier versions of Drupal 8 are not supported and will not be getting the patch. While Drupal 7 itself is not directly vulnerable, the bug may be present in various contributed modules, so admins should check those for security updates.
In the meantime, Drupal says all sites can mitigate the flaw, effectively closing off the attack vector, by disabling PUT/PATCH/POST requests on web services, or by simply turning off web service modules.
"Note that web services resources may be available on multiple paths depending on the configuration of your server(s)," says Team Drupal. "For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the "q" query argument. For Drupal 8, paths may still function when prefixed with index.php/."
Credit for discovery and reporting of the bug was given to Samuel Mortenson, a member of the Drupal security team.
Drupal are no strangers to high-priority security patches. Last summer, a pair of critical bugs dubbed "Drupalgeddon" triggered mutliple releases of high-priority patches as the website building biz sought to help admin close flaws that would potentially allow for remote server hijacks. ®