Articles Drupal has fixed critical bugs for which there are...

Drupal has fixed critical bugs for which there are already exploits

-

Two dangerous vulnerabilities associated with the use of the third-party library PEAR Archive_Tar have been patched in the Drupal CMS system. Its developers have already released an update, now the corresponding changes have been made to the Drupal core.

The named library is for processing archive tar files in PHP. Both new vulnerabilities (CVE-2020-28948 and CVE-2020-28949) allow to bypass the protection of Archive_Tar against attacks that use the ability to deserialize metadata from Phar files (PHP Archive).

Exploitation in this case is carried out through manipulation of file names and threatens the execution of malicious PHP code or overwriting of important files such as / passwd and / shadow.

The Drupal team recognized both bugs as critical, rating them 18 out of 25 on the scale recommended by NIST (American Institute of Standards and Technology). At the same time, it was noted that the use of new holes in the CMS is possible only with the settings that allow downloading files such as .tar, .tar.gz, .bz2 or .tlz.

Vulnerabilities have been confirmed for Drupal versions 7 and 9, as well as branches 8.8 and 8.9. Since the PoC exploit has already been published , patches for the CMS have been released urgently. Drupal users are advised to upgrade to build 7.75, 9.0.9, 8.8.12 or 8.9.10 as soon as possible. If this is not possible, for now it is worth prohibiting downloading files of the specified formats from untrusted sources.

Must read

28 dangerous extensions detected for Google Chrome and Microsoft Edge

Avast experts have discovered malware hidden in at least 28 third-party...

Why Is It Important To Have Intrusion Detection And Prevention ?

This article describes why detection and prevention of burglaries...

The risk is real: attacks on OT infrastructure

Previously, many believed that attacks on an isolated OT...

Gitpaste-12: Linux bot armed with a dozen exploits

Researchers at Juniper Networks have discovered a Linux scripting...

Saferwall : Open Source Malware Analysis

Saferwall is an open source malware analysis platform. It...

Network Vulnerability Assessment ? Why Should Every Company Do it at least once a Year !

Network vulnerability assessment analyzes a variety of network issues,...

Artificial Intelligence and Cyber Security

As artificial intelligence intrudes into the world of cybersecurity,...

You might also likeRELATED
Recommended to you