2 min Security

Millions of websites at risk from vulnerability in Drupal

Millions of websites at risk from vulnerability in Drupal

Millions of websites using the Drupal content management system are at risk of being taken over. Drupal contains a vulnerability that allows hackers to remotely execute malicious code. Ars Technica reports that managers of the open source project are warning about this. A patch is available for the problem.

The vulnerability is monitored under the code CVE-2019-6340. The problem comes from an error that does not sufficiently validate user input. Hackers who abuse the vulnerability can in some cases run code of their choice on vulnerable websites. The error is therefore regarded as highly critical.

However, a website is not just vulnerable. It is if it has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests. In addition, a website is vulnerable if it has another Web services module enabled, such as JSON:API in Drupal 8, Services or RESTful Web Services in Drupal 7.

Project managers urge administrators of vulnerable websites to update them immediately. Websites running version 8.6.x should upgrade to 8.6.10. Websites running 8.5.x or earlier versions should upgrade to 8.5.11. Also, websites should update all available security updates for contributed projects, after updating the Drupal core. Drupal 7 does not require a core update, although several contributed modules do require updates.

Millions of sites

After WordPress and Joomla, Drupal is the most widely used CMS. It is estimated that 3 to 4 percent of the more than a billion websites run on the CMS, which means tens of millions of websites. Critical vulnerabilities in a CMS are also popular with hackers, because the vulnerabilities against many websites can be used with a single, often easy to write script.

There are as yet no reports that the vulnerability now found is being abused in the wild. However, there is a good chance that this will happen.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.