Itpa webheader

Drupal issues critical security alert


By Dylan Bushell-Embling
Tuesday, 26 February, 2019


Drupal issues critical security alert

Drupal has issued a “highly critical” security alert after uncovering a remote code execution vulnerability in some versions of the Drupal core.

The vulnerability in the open source content management software, which already has known exploits, could allow for arbitrary PHP code execution under some circumstances.

The issue has emerged because some field types have been found not to properly sanitise data from non-form sources, the alert states.

Drupal issued the alert on 20 February and issued an update three days later warning that there are public exploits now available for the vulnerability.

According to the company, sites are at risk if they are running versions of Drupal 8 and have particular web service modules enabled or allow PATCH or POST requests.

Drupal’s security team has issued patches for the vulnerability for both the Drupal 8.6.x and Drupal 8.5.x branches, and has advised that no core update is required for Drupal 7. Versions of Drupal prior to 8.5.x have been discontinued.

The vulnerability can be mitigated immediately prior to patching by disabling all web services modules, or by configuring web servers not to allow GET, PUT, PATCH or POST requests to web service resources.

Image credit: ©stock.adobe.com/au/tippapatt

Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.

Related News

Aus printer market fell 2.2% in 2018

Australian printer shipments fell 2.2% in 2018 to 1.84m as a result of reduced demand for both...

Microsoft's IE Mode for Edge targets enterprise users

Microsoft has revealed plans to introduce an Internet Explorer mode for the in-development...

Mozilla's mea culpa for breaking Firefox

Mozilla has issued an apology and explanation for an incident that prevented add-ons for its...


  • All content Copyright © 2019 Westwick-Farrow Pty Ltd