Top

Drupal – Remote Code Execution (SA-CORE-2018-004 / CVE-2018-7602) nicknamed Drupalgeddon 3

Drupal

This vulnerability discovered Drupal security team one weeks ago, a highly critical (20/25 NIST rank), (SA-CORE-2018-004 / CVE-2018-7602) nicknamed Drupalgeddon 3. This vulnerability continues Drupalgeddon 2 and allow an unauthenticated attacker to perform remote code execution.

An exploitation method was published a few days ago for this vulnerability which allows attacker in the server execute any code with user permission.

Protecting with Mod_security

There are published several exploitation methods this vulnerability, so where one example how you can protect with this attack:

# drupalgeddon3 - SA-CORE-2018-004
SecRule &ARGS_NAMES|&REQUEST_COOKIES_NAMES "@gt 0" \
"id:500059,phase:2,t:none,chain,deny,log,msg:'Malware.Expert - Drupal - remote code execution'"
SecRule ARGS:destination|REQUEST_COOKIES:destination "@pm [# [%23 [%2523" \ "t:none,t:lowercase,t:removeWhitespace"

Final words

If you have not already, update as soon as possible your drupal installation!

Websites that using Malware Expert – ModSecurity rules are protected against this attack.

, , , , , , , ,

Comments are closed.