In the web sector, CMS (Content Management System) is the most popular solution for creating a top-notch website and manage it faster and efficiently. Drupal is one of the most popular and powerful CMS solutions for website devs and managers. It offers tons of versatility and flexibility. However, there existed a serious bug in the code of Drupal, named “Drupalgeddon2”. If a hacker could successfully exploit it, he could take over the website!
Drupal has released a patch for this severe bug. For every Drupal site owner, it’s mandatory to update their software immediately, meaning right now. The latest Drupal version is 8.5.1. Update as soon as possible. The flaw is so severe that Drupal assigned a security score of 21 out of 25!
Drupal’s unauthenticated RCE flaw
The bug was identified very recently, under the identifier CVE-2018-7600. Using this bug, a hacker could execute any code inside the website, despite against the CMS’ core components. Thus, he could successfully take over the website.
Moreover, the bug was easier to exploit. The hacker didn’t have to register/authenticate on the sites to take it over. All he needed was to access an URL.
Drupal credits Jasper Mattsson, a Drupal security auditing firm Druid employee for identifying this bug in the software.
Although it’s not so severe as Drupalgeddon (CVE-2014-3704, severity score 25/25), the community nicknamed the latest one with Drupalgeddon2.
No proof-of-concept, no attacks detected (yet)
Although the bug was quite severe, there’s no proof-of-concept code available anywhere on the internet. Moreover, there has been no report found where this bug was exploited to take over the website. With the latest patches released, security researchers are digging up the code to see what’s patched up.
However, because of the public disclosure about the bug, Drupal team anticipates that within days, we could see the attempts to exploit this bug on unpatched systems.
Note that Drupal v6.x and v7.x are also infected with the bug. Drupal released individual updates for each of the versions, where v6.x was discontinued in February 2016.
What to do now
If you’re an admin of Drupal website, update your website to the latest edition. If it’s quite difficult to apply the patches with the running website, switch to a temporary HTML edition of your website so that you won’t have to suffer the damage.
Patching must not be ignored. For example, when Drupal’s official website patched their system for Drupalgeddon2, the site was down for around half an hour.
Drupal currently powers around 1 million websites on the internet with the market share of 9%.
For Facebook users, it’s quite important to secure their data. Learn how to secure your FB information.