Drupal is one of the most popular and widely used content management systems. It is free and easy to use.
The content management framework is written in PHO and distributed under the GNU General Public License.
Symfony flaw – update your sites before hackers started exploiting the bug
However, Symfony security flaw has recently left Drupal sites vulnerable to hackers. The vulnerability in a component of a third-party library named Symfony HttpFoundation component and tracked as CVE-2018-12773 impacts earlier than 8.5.6 Drupal versions. This vulnerability potentially enables hackers to hack unpatched Drupal sites.
The flaw has been recently patched within the most recent Drupal version.
Symfony HttpFoundation vulnerability
Symfony has recently released the advisory which introduces users to the flaw.
Support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a user to access one URL but have Symfony return a different one which can bypass restrictions on higher level caches and web servers.
Hackers can potentially attack remotely and exploit the vulnerability with a specially designed X-Original_URL or X-Rewrite-URL HTTP header value. This value then, ignores the requested URL address, in order to bypass restrictions and convert a different, potentially malicious URL.
This flaw has been already fixed by Symfony, and patch in Drupal is available in its latest version 8.5.6.
The earlier versions of Drupal are not patched.
Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.
Zend Framework is also affected by the same vulnerability.
Interestingly, Drupal also noted that a similar flaw affects the Zend Feed and Diactoros libraries.
The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does not use the vulnerable functionality.
The Drupal advisory recommends users to patch their websites, especially if those websites applies Zend Feed or Diactoros directly.
There are millions of Drupal websites across the globe. However, the content management system has been one of the main hackers’ target. Especially, after the discovery of its critical remote code execution vulnerability Drupageddon2.
Users that are using Drupal are recommended to update their websites as soon as possible before potential attackers started exploiting the recently discovered and already patched bug.