Serious errors in Drupal CMS, but sites protected by CloudFlare are potentially secure

Since yesterday's evening hours of Polish time, the world of webmasters has been circulating about serious vulnerabilities in the Drupal CMS (known as CMF). The CVE-2018-7600 vulnerability has been fixed so that the attacker could run arbitrary code on the server without special permissions - the attacker in the default installation did not need to authenticate. The vulnerability was determined by the Drupal engine security team as highly critical. The error received 21 points out of 25 possible.

Due to the seriousness of the threat, no technical details were provided. The exploitation of the vulnerability was so simple that the attacker did not need to authenticate on the site as a logged-in user, let alone an administrator. It was enough to have access to the browser and the bar with the URL. By modifying the URL, it was possible to delete or modify the data.

Drupal uses the hash "#" at the beginning of the array keys to signify special keys. Basically you can inject these. See Drupal form API for example

- Kyle Cunningham (@codeincarnate) March 28, 2018

So far, no public exploit has been developed yet, although it is not known whether manipulation of the URL would work on a different than the default configuration. If, however, your site was hacked, the Drupal team developed a guide on what to do .

However, the situation is very serious. We recommend urgent updating of the core. All core versions before 7.58 and 8.5.1 are vulnerable. These versions have been patched as soon as possible.

More details about the vulnerability, see the vulnerability site CVE-2018-7600.

Administrators of unsupported Drupal versions from lines 6.X and 5.X can read the topic on Reddit and the patch .

Websites protected by the CloudFlare web-based firewall are potentially secure . WAF CloudFlare is not available in the free version of the CDN network service.