The team behind the open source content management system Drupal have released patches for what is said to be a highly critical vulnerability in versions 7 and 8 of the software that can be exploited remotely.
But no technical details of the bug have been provided apart from this statement: "A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x.
The patch sanitizes all three of these by removing all keys that begin with the character "#".
— aran (@arancaytar) 28 March 2018
"This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised."
Drupal is run by some 450 Australian Government websites using a custom version known as govCMS. Drupal also runs the White House website.
{loadposition sam08}The advisory mentioned above links to a FAQ but even there the Drupal Security Team dances all around the issue and does not mention specifics.
In response to a question "How dangerous is this issue?" on the FAQ, the Drupal Security Team says: "Drupal security advisories include a risk score based on the NIST Common Misuse Scoring System. This helps give an objective sense of the risk of different issues. The risk of SA-CORE-2018-002 is scored 21/25 (Highly Critical)."
The announcement doesn't mention D5 or D4.7, though, so it sounds like something that only got added in D6. All complete speculation, of course.
— aran (@arancaytar) 28 March 2018
To get an idea of what the risk score is all about, one has to go to a third Web page.
It is only in the comments on the FAQ page that some idea can be obtained about the vector for this flaw. One commenter said the flaw affected the Bootstrap system. A second said: "The exploit is done via maliciously formed cookies, POST requests or query strings."