Wednesday, April 25, 2018

Third Critical Drupal Flaw Discovered—Patch Your Sites Immediately


Damn! You have to update your Drupal websites.

Yes, of course once again—literally it’s the third time in last 30 days.

As

notified

in advance two days back, Drupal has now released new versions of its software to patch yet another critical remote code execution vulnerability, affecting its Drupal 7 and 8 core.

Drupal is a popular open-source content management system software that powers millions of websites, and unfortunately, the CMS has been under active attacks since after the disclosure of a highly critical remote code execution vulnerability.

The previously disclosed critical vulnerability, dubbed Drupalgeddon2 (CVE-2018-7600), was patched on March 28, but the changes made to fix this flaw open another critical loophole (CVE-2018-7602) in the core software, forcing the Drupal team to release a follow-up patch.

According to a new

advisory

released by the team, the remote code execution vulnerability could allow attackers to take over vulnerable websites completely.

Since the previously flaw has derived much attention and motivated attackers to target websites running over Drupal, the company has urged all website administrators to install new security patches as soon as possible.

  • If you are running 7.x, upgrade to Drupal 7.59.
  • If you are running 8.5.x, upgrade to Drupal 8.5.3.
  • If you are running 8.4.x, which is no longer supported, you need first to update your site to 8.4.8 release and then install the latest 8.5.3 release as soon as possible.
"We are not aware of any active exploits in the wild for the new vulnerability," a drupal spokesperson told The Hacker News. "Moreover, the new flaw is more complex to string together into an exploit."

However, that does not mean that you can wait until next morning to update your website, believing it won't be attacked.

We have seen how attackers developed

automated exploits

and successfully launched attacks, leveraging Drupalgeddon2 vulnerability, within few hours after it's detailed went public and injected

cryptocurrency miners, backdoors

, and other malware into websites.

Besides these two flaws, the team also patched a moderately critical

cross-site scripting (XSS) vulnerability

last week, which could have allowed remote attackers to pull off advanced attacks including cookie theft, keylogging, phishing and identity theft.

Therefore, Drupal website admins were highly recommended to update their websites as soon as possible.



from The Hacker News https://ift.tt/2JsyPcv
Posted by at

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)