Drupal releases patch for 'highly critical' remote code execution flaw that puts millions of sites at risk

Sites based on the CMS Drupal are at risk from a remote code execution flaw which has been classed as "highly critical". Site owners are being urged to install updates to ensure they are protected.

The security flaw -- CVE-2019-6340 or SA-CORE-2019-003 -- affects Drupal 8.5.x and 8.6.x but there are certain conditions that must be met in order for a site to be vulnerable.

See also:

• Security researchers reveal details of serious bug in compression tool WinRAR
• Security researcher 'concerned' to find Twitter is not deleting your deleted direct messages
• User data exposed in 500px security breach... that happened in the middle of last year
• Microsoft reveals pricing for Windows 7 Extended Security Updates

In a security advisory, the Drupal Security Team explains that: "Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases".

The advisory goes on to describe the scenarios in which a site would be considered vulnerable to the flaw:

• The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or
• the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7

Anyone using Drupal 8.6.x is advised to upgrade to Drupal 8.6.10, while users of Drupal 8.5.x or earlier should upgrade to Drupal 8.5.11.

Samuel Mortenson from the Drupal Security Team adds:

To immediately mitigate the vulnerability, you can disable all web services modules, or configure your web server(s) to not allow PUT/PATCH/POST requests to web services resources. Note that web services resources may be available on multiple paths depending on the configuration of your server(s). For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the "q" query argument. For Drupal 8, paths may still function when prefixed with index.php/.

Image credit: 360b / Shutterstock