Drupal – Remote Code Execution (SA-CORE-2018-004 / CVE-2018-7602) nicknamed Drupalgeddon 3


This vulnerability discovered Drupal security team one weeks ago, a highly critical (20/25 NIST rank), (SA-CORE-2018-004 / CVE-2018-7602) nicknamed Drupalgeddon 3. This vulnerability continues Drupalgeddon 2 and allow an unauthenticated attacker to perform remote code execution.

An exploitation method was published a few days ago for this vulnerability which allows attacker in the server execute any code with user permission.

Protecting with Mod_security

There are published several exploitation methods this vulnerability, so where one example how you can protect with this attack:

# drupalgeddon3 - SA-CORE-2018-004
"id:500059,phase:2,t:none,chain,deny,log,msg:'Malware.Expert - Drupal - remote code execution'"
SecRule ARGS:destination|REQUEST_COOKIES:destination "@pm [# [%23 [%2523" \ "t:none,t:lowercase,t:removeWhitespace"

Final words

If you have not already, update as soon as possible your drupal installation!

Websites that using Malware Expert – ModSecurity rules are protected against this attack.