Scroll Top

Vulnerabilities in Drupal Pear library (CVE-2018-1000888)

January 18, 2019

The Drupal content management system (CMS) has released two security updates on Wednesday, each designed to mitigate critical security vulnerabilities in the content management framework. These vulnerabilities were reported by network security and ethical hacking experts from the International Institute of Cyber Security and allow a malicious user to take control of the affected system.

Drupal code header

In addition, one of the known issues with Drupal specifically related to this problem is a fatal error occurring when updating a site with Drush, a command line shell for Drupal.

More information regarding the fatal errors related to Drush can be found on this page.

The released update patches are for the 7.x, 8.5.x and 8.6.x versions of Drupal and can be corrected by updating Drupal to versions 7.62, 8.5.9 or 8.6.6.

 

CVE-2018-1000888

The first advisory, tracked as CVE-2018-1000888, is related to the implementation of the PEAR Archive_Tar Library, a plugin developed by third parties, which was also corrected by its editors. If exploited, this vulnerability could lead to remote code execution, as reported by network security experts.

 

Second vulnerability

The second vulnerability, which does not yet have a CVE key assigned, is a remote code execution flaw that exists in PHP built-in phar wrapper. This could lead to the attacker performing file operations on an untrusted phar://URI. This in turn could cause a problem when some Drupal codes, such as core, contrib, or custom, could be performing file operations on a user input that was not sufficiently validated, leaving them exposed to this vulnerability.

There is currently no evidence that these vulnerabilities have been exploited in real environments, as their exploitation is complex because administrator privileges are required for exploitation in vulnerable systems.

Not every Drupal instance will be vulnerable to attack either: most webapps won’t chuck user input into file calls without stripping out anything that looks like a protocol like phar://.

 

Drupal advisory

 

Join Our Online Security and Hosting Newsletter Today

and stay updated with the latest news, updates, releases & much more.
Subscribe
SUBSCRIBE NOW
We respect your privacy.

Related Posts

First Drupal Security Update issued for 2019

Drupal is an open source Content Management System (CMS) which is free to download and use; it allows you to create and manage websites, intranets, and web applications without writing any code. It is used often among global enterprises, governments, higher education institutions, and NGOs. Join Our Online Security…

16 Feb 2019
Drupal security vulnerabilities discovered SA-CORE-2017-003

  Multiple vulnerabilities for the Drupal CMS have been discovered. Drupal have released versions 8.3.4 and 7.56 which contain fixes for these security vulnerabilities. We recommend that you update Drupal as soon as possible. Join Our Online Security and Hosting Newsletter Today and stay updated with the latest news,…

24 Jun 2017
Drupal Core Vulnerability

This Public Service Announcement is a follow up to SA-CORE-2014-005 – Drupal core – SQL injection. This is not an announcement of a new vulnerability in Drupal. Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of…

30 Oct 2014
PHP PEAR package manager and website compromised

Important: If you have downloaded the PHP PEAR package manager from its official website in the past 6 months, is it possible that your server has been compromised. PEAR, which stands for “PHP Extension and Application Repository,” is a community-driven framework and is the first package manager that was…

23 Jan 2019

Join Our Online Security and Hosting Newsletter Today

and stay updated with the latest news, updates, releases & much more.
Subscribe
SUBSCRIBE NOW
We respect your privacy.
close-link
Our website uses cookies from third party services to improve your browsing experience. Read more about this and how you can control cookies by clicking "Privacy Preferences".
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
Privacy Policy
You have read and agreed to our privacy policy
Required
Privacy Policy Cookies Policy