Warning over critical security flaw in Drupal

'Drupalgeddon' could be coming to websites running popular content management system, security specialists warn

A remote code execution flaw in the widely used Drupal content management system could expose tens of thousands of websites worlwide to ‘Drupalgeddon', security specialists have warned.

The flaw was uncovered by Samuel Mortenson, who is part of the Drupal security team. It is not currently being exploited in the wild and no known exploit code has emerged. However, it is just a matter of time before exploit code is written.

"The remote execution flaw exists because some field types do not properly sanitise data from non-form sources and this can be exploited to achieve arbitrary PHP code execution," Red Packet Security warned in an advisory.

The flaw only affects specific site configurations, the company added:

• The Drupal 8 core RESTful Web Services (rest) module enabled and allow PATCH or POST requests; or,
• Another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.

Furthermore, fixes have been rushed out and organisations advised to patch as a matter of priority. Users have been told to upgrade to versions 8.6.10 or 8.5.11.

"Be sure to install any available security updates for contributed projects after updating Drupal core," the Drupal security team warned. "No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates."

Red Packet Security added: "If a quick update is impossible, users can mitigate the danger by disabling all web services modules or configuring their web servers to not allow PUT/PATCH/POST requests to web services resources."