قالب وردپرس درنا توس
Home https://server7.kproxy.com/servlet/redirect.srv/sruj/smyrwpoii/p2/ Technology https://server7.kproxy.com/servlet/redirect.srv/sruj/smyrwpoii/p2/ Millions of websites threatened by extremely critical code-execution bug on Drupal

Millions of websites threatened by extremely critical code-execution bug on Drupal



  Millions of websites threatened by extremely critical code-execution bug on Drupal

Millions of sites running the Drupal content management system run the risk of hijacking up to in that it is patched against a vulnerability that allows hackers to remotely perform malicious code, open source project managers are warned on Wednesday.

CVE-201

9-6340, while the crack was monitored, came from a failure to validate enough user input, managers told an advisory. Hackers who exploit the vulnerability may, in some cases, run code that they choose on weak websites. "Some types of fields do not properly sanitize data from non-form sources," the advisory stated. "This can lead to the implementation of unwarranted PHP code execution in some cases."

For a weak site, one of the following conditions must be met:

  • Enables the operation of Restricted Web Services (rest) of Drupal 8 and enables PATCH or POST requests or
  • Another enabled Web-enabled module, such as JSON: API on Drupal 8, or RESTful Web Services or Services on Drupal 7

Project managers encourage administrators weak websites to update simultaneously. For sites running version 8.6.x, it involves upgrading to 8.6.10 and sites running 8.5.x or earlier upgrades at 8.5.11. Sites should also install any available security updates for project contributions after the Drupal core update. No core update required for Drupal 7, but some Drupal 7s that have contributed modules require updates.

Popular target hacking

Drupal is the third most widely used CMS behind WordPress and Joomla. About 3 percent to 4 percent of the world's billion-plus websites, meaning Drupal runs on tens of millions of sites. Critical defects in any CMS are popular among hackers, as vulnerabilities can be displayed against large numbers of sites with a single, often-writeable script.

In 2014 and again last year, hackers had no time spent exploiting critical code-enforcing vulnerabilities shortly after it was fixed by Drupal's project leaders. The weakness of "Drupalgeddon2" last year was still exploited for six weeks after it was patched, an indication that many sites running on Drupal did not pay attention to the immediate advice to patch.

At this time post is live, there are no reports of the latest Drupal vulnerabilities that are actively exploited in the wild. This is clearly subject to change. This post will be updated if new information is available.


Source link