Drupalgeddon Redux (2018)

In 2014 there was a large issue in the popular Drupal web platform / framework known as Drupalgeddon. The system is popular tool used for creating web sites but now many use it for building sophisticated applications. This means that it has a large surface area because it can do anything.

The original Drupalgeddon (SA-CORE-2014-005) was caused by SQL injection. This allowed attackers to craft SQL queries to read anything from the database or alternatively modify it at free will. Now there is a new issue that is a simple sanitation issue with input parameters.

This issue (CVE-2018-7600, SA-CORE-2018-002) affects at least Drupal 7.57, with the patch coming in 7.58, with the fact that it simply does not sanitize unsafe values. The change is shown in the code below, within the core bootstrap (includes/bootstrap.inc):


This comes from the batch shown on GitHub here: SA-CORE-2018-002 by Jasu_M, samuel.mortenson, David_Rothstein, xjm… The SA-CORE-2018-002 has a lot more issues that mate upgrading Drupal 7.x and Drupal 8.x releases ASAP: Drupal Critical Vulnerabilities (SA-CORE-2018-002)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s