This vulnerability discovered Drupal security team one weeks ago, a highly critical (20/25 NIST rank), (SA-CORE-2018-004 / CVE-2018-7602) nicknamed Drupalgeddon 3. This vulnerability continues Drupalgeddon 2 and allow an unauthenticated attacker to perform remote code execution.
An exploitation method was published a few days ago for this vulnerability which allows attacker in the server execute any code with user permission.
Protecting with Mod_security
There are published several exploitation methods this vulnerability, so where one example how you can protect with this attack:
# drupalgeddon3 - SA-CORE-2018-004 SecRule &ARGS_NAMES|&REQUEST_COOKIES_NAMES "@gt 0" \ "id:500059,phase:2,t:none,chain,deny,log,msg:'Malware.Expert - Drupal - remote code execution'" SecRule ARGS:destination|REQUEST_COOKIES:destination "@pm [# [%23 [%2523" \ "t:none,t:lowercase,t:removeWhitespace"
Final words
If you have not already, update as soon as possible your drupal installation!
Websites that using Malware Expert – ModSecurity rules are protected against this attack.