Drupal has released an update to patch a critical flaw that could allow hackers to take control over website remotely. The update came two days after Drupal team released an advance security notification of the upcoming patches, giving administrators early heads-up to fix their websites.
The vulnerability is a remote code execution (RCE) flaw in Drupal Core that could allow “PHP code execution,” the Drupal security team said.
No technical details of the vulnerability (CVE-2019-6340) is released, it was mentioned that the flaw is because of some field types which do not properly sanitize data from non-form sources. The vulnerability affects both Drupal 7 and 8.
Drupal-based website is only affected if the RESTful Web Services (rest) module is enabled, or if it has another web services module enabled.
If you cannot install the latest update, then you need to fix the flaw by disabling all web services, or by configuring your web server(s) to not allow PUT/PATCH/POST requests.
“Note that web services resources may be available on multiple paths depending on the configuration of your server(s),” Drupal warns in its security advisory.
“For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the “q” query argument. For Drupal 8, paths may still function when prefixed with index.php/.”
Considering the popularity of Drupal exploits among hackers, you are recommended to install the latest update as soon as possible:
- If you are using Drupal 8.6.x, upgrade your website to Drupal 8.6.10.
- If you are using Drupal 8.5.x or earlier, upgrade your website to Drupal 8.5.11
Also Drupal 7 Services module itself does not require an update at this moment, but users should still consider applying updates associated with the latest advisory if “Services” is in use.