قالب وردپرس درنا توس
Home / Technology / Millions of websites threatened by highly critical code execution bug in Drupal

Millions of websites threatened by highly critical code execution bug in Drupal



 Millions of websites threatened by highly critical code-execution bug in Drupal

The Drupal content management system is hijacked until they're patched against a vulnerability that allows hackers to remotely execute malicious

CVE-2019-6340, as the flaw is tracked, stems from a failure to validate user input, said in an advisory. Hackers who exploited the vulnerability could, in some cases, run their choice of vulnerable websites. The flaw is rated highly critical.

"Some field types do not properly sanitize data from non-form sources," the advisory stated.

It has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests or

  • It has another Web services module enabled, such as JSON: API in Drupal 8, or Services or RESTful Web Services in Drupal 7
  • Project managers are urging administrators of vulnerable websites to update at once. For sites running version 8.6.x, this involved upgrading to 8.6.1

    0 and sites running 8.5.x or earlier upgrading to 8.5.11. Sites must also install any available security updates for contributed projects after updating the Drupal core. Drupal is the third most-widely used CMS behind WordPress and Joomla.

    Drupal is the third most-widely used CMS. With an estimated 3 percent to 4 percent of the world's billion-plus websites, that means Drupal runs tens of millions of sites. Critical flaws in any CMS are popular with hackers, because the vulnerabilities can be unleashed against large numbers of sites with a single, often-easy-to-write script.

    In 2014 and again last year, hackers wasted no time exploding extremely critical code-execution vulnerabilities shortly after they were fixed by Drupal project leaders. Last year's "Drupalgeddon2" vulnerability was silently exploited six weeks after it was patched.

    At the time this post was released, there were no reports of the latest Drupal vulnerability being actively exploited in the wild. This is obviously subject to change. This post wants to be updated.


    Source link