Drupal core bug allows remote code execution

This just arrived in email from wordfence.com. If you use Drupal or know someone who does, the Drupal patches need to be applied immediately to prevent / stop remote code execution attacks.

A more detailed overview of upgrade recommendations from the Drupal security team is available on Drupal.org. They have also published a detailed FAQ. This attack has been nicknamed “Drupalgeddon 2.” The previous Drupalgeddon was as high in severity as this, and had automated attacks against unpatched Drupal sites within a matter of hours after the public announcement of the vulnerability was made.

—<snip>—

This morning we are publishing a public service announcement about a severe Drupal core remote code execution vulnerability announced yesterday. If you use Drupal or know someone who does, I’d encourage you to read this post and spread the word.
The vulnerability allows an attacker, leveraging multiple attack vectors, to take complete control of a website. The Drupal team estimates that at the time of the announcement over 1 million sites are affected, about 9% of Drupal sites.
Our focus is usually WordPress security, but given the severity and wide impact of this vulnerability, we feel it justifies a PSA to help spread the word.
Regards,
Mark Maunder
Defiant Inc CEO
—<snip>—

Comments are closed