Vulnerabilities in Drupal Pear library (CVE-2018-1000888)

The Drupal content management system (CMS) has released two security updates on Wednesday, each designed to mitigate critical security vulnerabilities in the content management framework. These vulnerabilities were reported by network security and ethical hacking experts from the International Institute of Cyber Security and allow a malicious user to take control of the affected system.

Drupal code header

In addition, one of the known issues with Drupal specifically related to this problem is a fatal error occurring when updating a site with Drush, a command line shell for Drupal.

More information regarding the fatal errors related to Drush can be found on this page.

The released update patches are for the 7.x, 8.5.x and 8.6.x versions of Drupal and can be corrected by updating Drupal to versions 7.62, 8.5.9 or 8.6.6.

 

CVE-2018-1000888

The first advisory, tracked as CVE-2018-1000888, is related to the implementation of the PEAR Archive_Tar Library, a plugin developed by third parties, which was also corrected by its editors. If exploited, this vulnerability could lead to remote code execution, as reported by network security experts.

 

Second vulnerability

The second vulnerability, which does not yet have a CVE key assigned, is a remote code execution flaw that exists in PHP built-in phar wrapper. This could lead to the attacker performing file operations on an untrusted phar://URI. This in turn could cause a problem when some Drupal codes, such as core, contrib, or custom, could be performing file operations on a user input that was not sufficiently validated, leaving them exposed to this vulnerability.

There is currently no evidence that these vulnerabilities have been exploited in real environments, as their exploitation is complex because administrator privileges are required for exploitation in vulnerable systems.

Not every Drupal instance will be vulnerable to attack either: most webapps won’t chuck user input into file calls without stripping out anything that looks like a protocol like phar://.

 

Drupal advisory

 

Join Our Online Security and Hosting Newsletter Today

and stay updated with the latest news, updates, releases & much more.
Subscribe
SUBSCRIBE NOW

Related Posts

Join Our Online Security and Hosting Newsletter Today

and stay updated with the latest news, updates, releases & much more.
Subscribe
SUBSCRIBE NOW
close-link