Critical vulnerabilities found in Drupal

Developers recommend users to update their systems as soon as possible

The Drupal content management system (CMS) has just launched two security updates to correct critical vulnerabilities, as reported by network security and ethical hacking experts from the International Institute of Cyber Security. According to reports, if vulnerabilities were to be exploited, they would allow a malicious user to take control of the affected system.

Specifically, the update patches are for the 7.x, 8.5.x and 8.6.x versions of Drupal and can be corrected by updating Drupal to versions 7.62, 8.5.9 or 8.6.6.

The first critical vulnerability, tracked as CVE-2018-1000888, is related to the implementation of the PEAR Archive_Tar Library, a plugin developed by third parties, which was also corrected by its editors. If exploited, this vulnerability could lead to remote code execution, as reported by network security experts.

The second vulnerability, which does not yet have a CVE key, is a remote code execution flaw present in the PHP built-in phar wrapper when performing file operations on an untrusted phar://URI. This could cause a problem when some Drupal codes, such as core, contrib, or custom, could be performing file operations on a user input that was not sufficiently validated, leaving them exposed to this vulnerability.

Although these vulnerabilities have been considered critical, not everything is bad news. According to experts in network security, there is no evidence that security failures have been exploited in real environments, as their exploitation is complex because administrator privileges are required in vulnerable systems.