Millions of sites running the Drupal content management system run the risk of hijacking up to in that it is patched against a vulnerability that allows hackers to remotely perform malicious code, open source project managers are warned on Wednesday.
For a weak site, one of the following conditions must be met:
- Enables the operation of Restricted Web Services (rest) of Drupal 8 and enables PATCH or POST requests or
- Another enabled Web-enabled module, such as JSON: API on Drupal 8, or RESTful Web Services or Services on Drupal 7
Project managers encourage administrators weak websites to update simultaneously. For sites running version 8.6.x, it involves upgrading to 8.6.10 and sites running 8.5.x or earlier upgrades at 8.5.11. Sites should also install any available security updates for project contributions after the Drupal core update. No core update required for Drupal 7, but some Drupal 7s that have contributed modules require updates.
Popular target hacking
Drupal is the third most widely used CMS behind WordPress and Joomla. About 3 percent to 4 percent of the world's billion-plus websites, meaning Drupal runs on tens of millions of sites. Critical defects in any CMS are popular among hackers, as vulnerabilities can be displayed against large numbers of sites with a single, often-writeable script.
In 2014 and again last year, hackers had no time spent exploiting critical code-enforcing vulnerabilities shortly after it was fixed by Drupal's project leaders. The weakness of "Drupalgeddon2" last year was still exploited for six weeks after it was patched, an indication that many sites running on Drupal did not pay attention to the immediate advice to patch.
At this time post is live, there are no reports of the latest Drupal vulnerabilities that are actively exploited in the wild. This is clearly subject to change. This post will be updated if new information is available.