Drupal Remote Code Execution flaw affects millions of websites
The Drupal open-source content management system platform issued an advisory for a highly critical remote code execution or RCE flaw in the Drupal core. The vulnerability, CVE-2019-6340, arises from the fact that some field types don't properly sanitize data from non form sources. Insufficient input validation can result in various kinds of code injection, allowing cross site scripting, site or server hijacking, and in some cases can be used to phish user credentials or spread malware. Drupal stated that the vulnerability in question can lead to arbitrary PHP code-execution in some cases.
Hackers covet CMS flaws since they provide access to millions of vulnerable sites at once. Drupal provides a back end framework for at least 4.6 percent of all websites worldwide ranging from personal blogs to corporate, political and government sites. Even though that is tiny, Drupal is the third-most popular web platform in the world after WordPress and Joomla. Given that there are around 1.6 billion websites online today, Drupal runs about 73.6 million.
Affected projects include 0Auth 2.0, Entity Registration, Font Awesome Icons, JSON:API and RESTful Web Services, among others, so admins also need to grab updates for those if they're being used. A site is only affected by the flaw if it has the Drupal 8 core RESTful Web Services module enabled and allows PATCH or POST requests. If the site has another web-services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7, you are also affected.
If you are using Drupal 8.6.x, you can upgrade to Drupal 8.6.10 to fix the issue. If you are using Drupal 8.5.x or earlier, you can upgrade to Drupal 8.5.11. The Drupal 7 Services module itself is meanwhile unaffected, but admins should still apply other contributed updates, according to Drupal. To mitigate the vulnerability before applying the updates, admins should disable all web services modules, or configure web servers to not allow PUT/PATCH/POST requests to web services resources.