The Drupal content management system (CMS) has released two security updates on Wednesday, each designed to mitigate critical security vulnerabilities in the content management framework. These vulnerabilities were reported by network security and ethical hacking experts from the International Institute of Cyber Security and allow a malicious user to take control of the affected system.
In addition, one of the known issues with Drupal specifically related to this problem is a fatal error occurring when updating a site with Drush, a command line shell for Drupal.
More information regarding the fatal errors related to Drush can be found on this page.
The released update patches are for the 7.x, 8.5.x and 8.6.x versions of Drupal and can be corrected by updating Drupal to versions 7.62, 8.5.9 or 8.6.6.
CVE-2018-1000888
The first advisory, tracked as CVE-2018-1000888, is related to the implementation of the PEAR Archive_Tar Library, a plugin developed by third parties, which was also corrected by its editors. If exploited, this vulnerability could lead to remote code execution, as reported by network security experts.
Second vulnerability
The second vulnerability, which does not yet have a CVE key assigned, is a remote code execution flaw that exists in PHP built-in phar wrapper. This could lead to the attacker performing file operations on an untrusted phar://URI. This in turn could cause a problem when some Drupal codes, such as core, contrib, or custom, could be performing file operations on a user input that was not sufficiently validated, leaving them exposed to this vulnerability.
There is currently no evidence that these vulnerabilities have been exploited in real environments, as their exploitation is complex because administrator privileges are required for exploitation in vulnerable systems.
Not every Drupal instance will be vulnerable to attack either: most webapps won’t chuck user input into file calls without stripping out anything that looks like a protocol like phar://.
