Overview
Recently, Drupal released an official security advisory to announce the fixes for multiple security issues, including two critical remote code execution vulnerabilities which affect Drupal 7 and 8.
The two critical vulnerabilities are described as follows:
- Injection in DefaultMailSystem::mail() – Critical – Remote Code Execution
When an email is sent, some variables are passed to shell for execution without proper handling, which could lead to remote code execution.
- Contextual Links Authentication – Critical – Remote Code Execution
The Contextual Links module does not sufficiently validate the requested contextual links, potentially leading to remote code execution. This vulnerability can only be exploited by attackers with access to contextual links.
For more details, see Drupal’s official security advisories from the following link:
https://www.drupal.org/sa-core-2018-006
Affected Versions
- Drupal 7.x before 7.60
- Drupal 8.6.x before 8.6.2
- Drupal 8.5.x (and earlier) before 8.5.8
Unaffected Versions
- Drupal 7.60 and later
- Drupal 8.6.2 and later
- Drupal 8.5.8 and later
Solution
Drupal has released new versions to fix the preceding vulnerabilities. Affected users should download these updates from the following links as soon as possible to protect themselves:
Drupal 7.60
https://www.drupal.org/project/drupal/releases/7.60
Drupal 8.6.2
http://www.drupal.org/project/drupal/releases/8.6.2
Drupal 8.5.8
http://www.drupal.org/project/drupal/releases/8.5.8
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
Founded in April 2000 and headquartered in Beijing, NSFOCUS Information Technology Co., Ltd. (NSFOCUS) has more than 40 branches and subsidiaries at home and abroad, providing most competitive security products and solutions for governments, carriers, and financial, energy, Internet, education, and medical sectors to ensure customers’ business continuity.
Based on years of research in security assurance, NSFOCUS has set foot in network and terminal security, Internet infrastructure security, and compliance and security management. The company provides the intrusion detection/prevention system, anti-DDoS system, remote security assessment system, and web security protection products as well as professional security services for customers.
NSFOCUS Information Technology Co., Ltd. started trading its shares at China’s Nasdaq-style market, ChiNext, in Shenzhen on January 29, 2014, with the name of NSFOCUS and code of 300369.