It is recommended to install the released security patches as soon as possible
Drupal, the popular open source content management system, has launched a new version of its software to fix a security bypass vulnerability that could allow a hacker to remotely take control of compromised websites, as reported by enterprise network security experts from the International Institute of Cyber Security.
The vulnerability, tracked as CVE-2018-14773, resides in a component of a third-party library, called Symfony HttpFoundation component, which is being used in Drupal Core and affects Drupal 8.x versions prior to 8.5.6.
Given that Symfony, a web application framework with a set of PHP components, is being used by many projects, the vulnerability could potentially put several web applications at risk of being hacked.
Symfony Component Vulnerability
According to a statement published by Symfony, the security bypass vulnerability its caused due to Symfony support for risky HTTP headers.
A remote attack can exploit the vulnerability with a specially designed HTTP “x-Original-url” or “x-rewrite-URL” header value, which overrides the path in the request URL to potentially prevent access restrictions and make the target system display a different URL.
The vulnerability has already been corrected in the Symfony versions 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14 and 4.1.3, and Drupal has corrected the problem in its latest version 8.5.6.
The same flaw exists in Zend
In addition to Symfony, Drupal’s enterprise network security specialist teams discovered that there is also a similar vulnerability in the Zend Feed and Diactors libraries included in Drupal Core, which they called “URL rewrite vulnerability”.
However, the popular content management system mentioned that Drupal Core does not use the vulnerable functionality, but recommended that users patch their website, if their site or module uses Zend Feed Diactors directly.
Drupal powers millions of websites and, unfortunately, the content management system has recently been under attack since the highly critical code remote execution vulnerability, known as Drupalgeddon2, was discovered.
So that being said, before hackers began to exploit the new bug to take control of your websites, enterprise network security specialists recommend updating your sites as soon as possible.