Drupal Remote Code Execution Vulnerability (CVE-2018-7600)

05/05/2018 11:14:07

On March 28, 2018, a highly critical remote code execution vulnerability (CVE-2018-7600) in the popular open-source Drupal CMS was exposed.


What is Drupal? Drupal is an open source content-management framework (CMF) written in PHP, consisting of a content-management system (CMS) and PHP framework. Framework refers to powerful PHP class, function libraries and an abstract Drupal API in a Drupal core.


As Drupal CMS has powerful features which can be configured flexibly, it can be used by a variety of websites from personal blogs to community-driven websites. In addition, Drupal employs cutting edge technology to ensure code security and robustness. Thus, many government agencies and institutions rely on Drupal CMS including The White House, The United States Department of Commerce, The New York Times, Sony and multiple reputable Chinese universities.


The Issue

According to the official announcement from Drupal, affected versions include Drupal 6.x, Drupal 7.x and Drupal 8.x. According to official statistics supplied by Drupal this vulnerability has a wide impact, with over one million websites using Drupal CMS around the globe and accounting for 9% of CMS based websites.  This vulnerability can be exploited relatively effortlessly, allowing attackers to bypass login credential requirements by accessing a Drupal website using a URL and ultimately granting access to unpublished, private or sensitive data.


Drupal v.7.58 provides a ‘request-sanitizer.inc’ file which can receive inputs via GET, POST or a cookie, and sanitize the inputs to prevent risky vulnerabilities. The ‘/includes’ and several existing .inc files have also been updated.  Risky operations are filtered by the main function “stripDangerousValues.” When the input is an array, the function will check every parameter name starting with a #. Finally, the return value will remove the # character and save the parameters to that array again, ultimately returning the new parameters to the calling functions.


The Drupal core accepts array objects as request parameters and does not filter arrays, allowing attackers to exploit this flaw by using an array with payload.


Vulnerability Reproduction

Let us break it down for you. To offer you an intuitive view of the vulnerability and the attack process we have reproduced the vulnerability. Because this flaw exists in earlier versions of Drupal CMS, we built a website using Drupal 8.4.5.



Create a new account by visiting http://xxx.xxx.xxx.xxx/user/register



Because the email field is not cleared after being passed as a parameter, attackers can construct an array containing malicious commands, submitted by means of AJAX call, and executed subsequently.

The above screenshot shows that a response package with the information that ID command has executed is returned after the constructed array has passed, indicating that that array with the malicious command is successfully executed.  To prevent attack, clear the arrays passed via #, as in the patches released by Drupal. Please perform this upgrade ASAP.


Affected Versions
Drupal 6

Drupal 7

Drupal 8


Vuln. Remediation Solution
If you are running Drupal 6.x, visit the link below:
https://www.drupal.org/project/d6lts


If you are running Drupal 7.x, upgrade it to Drupal 7.5.8. If you are unable to update immediately, fix the vulnerability by applying the patch for version Drupal 7.x, released by Drupal. Visit the link below to get the patch: https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5


If you are running 8.5.x, upgrade it to Drupal 8.5.1. If you are unable to update immediately, fix the vulnerability by applying the patch for version Drupal 8.5.X, released by Drupal. Visit the link below to get the patch:
https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f


Drupal does not support Drupal 8.3.x and 8.4.x any more. However, given the potential severity of this vulnerability, Drupal releases the corresponding patch which is the same with that for version 8.5.x. Visit the link below to get the patch:
https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f


Since Drupal 8.3.x and 8.4.x are no longer supported, it is recommended to upgrade to Drupal 8.3.9 or Drupal 8.4.6.


Sangfor Solution
For Sangfor NGAF customers, please update security databases to the latest version.

Our Social Networks

Global Service Center:

COPYRIGHT © 2000-2018 SANGFOR TECHNOLOGIES INC. ALL RIGHTS RESERVED.