Drupal, one of the world’s largest open-source web content management platforms has been struck with a bad news this week by a nasty bug called “Drupalgeddon2”. If left unchecked, this will leave millions of Drupal website highly compromised to attackers. In this article, we shall look at what Drupalgeddon2 is all about and what can you do to secure your Drupal website against the latest vulnerability.
What is Drupalgeddon2?
The vulnerability was first discovered by Jasper Mattsson, an employee of Drupal security auditing firm Druid.
The latest bug is called Drupalgeddon2 (identified as CVE-2018-7600) after the original Drupalgeddon security bug (CVE-2014-3704, SQL injection, severity 25/25) disclosed in 2014 that led to numerous Drupal sites getting hacked for years afterward.
Drupal warns that attackers can exploit the flaw through several avenues. Any visitor, regardless of privileges (authenticated or non-authenticated), can exploit the flaw by visiting an affected site and gain access to, modify and delete private data. Theoretically, the hacking happens through remote code execution due to a missing input validation.
How Deadly Is This Bug?
Well, the latest security flaw is so serious in which Drupal has given the bug a ‘highly critical’ rating with a risk score of 21 out of 25 under the NIST Common Misuse Scoring System.
No attacks have been detected yet, but the Drupal development team and experts believe they will commence in short order.
At the time of writing, the Drupalgeddon2 security flaw affects Drupal 6, 7 and 8 core versions.
Precaution Measures for Drupal Website Owners:
As a safety measure to prevent your website from this vulnerability, it is highly recommended to patch up your Drupal sites with the latest patch. If you are running Drupal 7.X, you need to patch up using Drupal 7.58. If you are running Drupal 8.5.X, then you are required to patch up using Drupal 8.5.1. The Drupal team also issued security patches for the 6.x versions that were discontinued in February 2016.
If you are unavailable to patch up immediately, you may want to replace your Drupal site with a static HTML page so that the vulnerable Drupal site would not serve the vulnerable URLs to visitors.
Meanwhile, all staging and in-dev Drupal installations should be updated or taken down completely until the security patch can be applied.
If you wish to know more details linked to Drupalgeddon2, please head over to https://www.drupal.org/security
Hand-picked related articles
Ways to Improve Your Site’s Ranking (SEO)
Use these actionable tips to take your SEO to the next level and send your website ranking up to the top of the search engine rankings. Gain more visibility, drive organic traffic, and set your…
Benefits Of SEO
Whether it's a new business or growing one, just think of your business popping up on the first page when…
Who Should Use Shared Hosting
If you fall into any of the categories below, shared server hosting might be suitable for you: 1. Small Businesses…
ServerFreak is ISO 27001:2022 certified
Here are 5 great reasons to cheer Firstly, let us tell you about the cert. ISO 27001:2022 is the world’s…