Friendly reminder to Drupal admins: Secure your sh!t before latest RCE-holes get you
Last week's disclosures are now this week's live attacks
Just days after a remote code execution flaw in open-source web publishing software Drupal was made public, researchers have already spotted live exploits in the wild – reinforcing the need for admins to patch and update their sites immediately.
As The Register reported last week: "A successful exploit of the vulnerability would allow a hacker to remotely run malicious code on the targeted website's server, effectively commandeering the site."
Drupal's maintainers told us at the time they went public that "some field types do not properly sanitize data from non-form sources", which could "lead to arbitrary PHP code execution in some cases".
The vuln affects sites running Drupal 8 core with the RESTful Web Services (rest) module enabled, and it handles PATCH or POST requests. Sites with another web services module enabled such as JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7, may also be vulnerable.
Infosec outfit Ambionics Security said in a blog post: "By making use of the patch provided by Drupal, we were able to build a working exploit; furthermore, we discovered that the immediate remediation proposed for the vulnerability was incomplete, which could lead to a false sense of security."
They added that in their opinion remote code execution (RCE) "is triggerable through a GET request, and without any kind of authentication, even if POST/PATCH requests are disabled in the REST configuration" and suggested the only true fix would be upgrading Drupal or disabling the REST module.
Imperva also said it had seen attempts "to install a shell uploader to upload arbitrary files on demand" on targeted Drupal sites.
Mitigating the vuln is straightforward if you're on Drupal 8.5 or 8.6: update to version 8.6.10 or 8.5.11 as appropriate. Drupal 7 does not require a core update, according to Drupal itself, though "several Drupal 7 contributed modules require updates".
If you're on versions of Drupal prior to 8.5, good luck: they've reached end-of-life. You could, however, take the other Drupal-suggested approach of configuring your webserver "to not allow GET/PUT/PATCH/POST requests to web services resources". ®