Hackers Started Exploiting Drupal Bug

By Swapnil Bhartiya

The bug affects Drupal 8 sites.

Hackers have started exploiting a security flaw in Drupal that was patched last week. Imperva reported that they started seeing attacks on February 23, after the two vulnerabilities were patched and proof-of-concept (PoC) exploit code was made available publicly. Attackers tried to install CoinIMP, a JavaScript cryptocurrency miner on unpatched sites.

Drupal wrote in an advisory that CVE 2019-6340 and SA-CORE-2019-003 can lead to arbitrary PHP code execution in some cases as some field types do not properly sanitize data from non-form sources.

The advisory said that a site can be affected if it meets one of these conditions: the site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows GET, PATCH, or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.

Drupal doesn’t have any automated update mechanism, and updating Drupal is more involved than updating WordPress, which means many sites may still be unpatched.

The vulnerabilities affect only Drupal 8 sites; unless you have Services or RESTful Web Services enabled in Drupal 7.

According to ZDNet, there are only 63,000 Drupal 8 sites, which means there might not be enough incentive for hackers to spend their time searching out Drupal 8 sites to attack. Still, Drupal 8 admins are advised to install the patch as soon as possible.

02/26/2019