The discovery of a critical remote code vulnerability in the Drupal content management system puts sites at risk of compromise and data theft. The vulnerability is trivially easy to exploit by anyone who visits a Drupal site. Updates have been released for Drupal 6, 7, and 8 and should be applied without delay.
LiquidWeb hosting clients who run sites based on Drupal 7.X should upgrade to version 7.58.
Drupal sites running version 8.5.X should upgrade to Drupal 8.5.1.
Drupal 8.3.X and 8.4.X are no longer supported, but the vulnerability is so serious that updates with fixes have been released, although Drupal site owners are advised to update to 8.5.X as soon as possible.
Drupal 6 has been unsupported since 2015 and will not receive official updates; however, patches have been released by the Drupal 6 LTS project.
The vulnerability is caused by Drupal’s handling of HTTP request parameters. If the parameters contain special characters, they may be misinterpreted by Drupal. A user could pass an array object into the application via a request. If the object has a keyname containing code, it is processed without being sanitized. In effect, simply visiting a site with a crafted URL can compromise it. There is no simple configuration change to mitigate the vulnerability.
The patches contain code which filters data submitted by users via GET and POST requests and cookies, preventing an attacker from injecting remote code into Drupal Core.
There is no evidence that the vulnerability has been exploited prior to the release of the patches, but now the information and the patches are available, it is only a matter of time before bad actors begin to exploit sites and to release utilities that can automatically exploit vulnerable sites.
With a NIST Common Misuse Scoring System risk score of 21 out of 25, this vulnerability is rated highly critical. That means it is trivially easy to exploit, anonymous users can exploit it without privilege escalation, it exposes all non-public data, and all data on the site can be modified or deleted.
In a nutshell, if your site is one of the more than a million running on an affected version of Drupal, it is critical that you apply the available updates as soon as possible.