With Drupalgeddon2 still under attack, Drupal fixes a new critical flaw

For the second time in a month, websites that use the Drupal content management system are confronted with a stark choice: install a critical update or risk having your servers infected with ransomware or other nasties.

Maintainers of the open-source CMS built on the PHP programming language released an update patching critical remote-code vulnerability on Wednesday. The bug, formally indexed as CVE-2018-7602, exists within multiple subsystems of Drupal 7.x and 8.x. Drupal maintainers didn’t provide details on how the vulnerability can be exploited other than to say attacks work remotely. The maintainers rated the vulnerability “critical” and urged websites to patch it as soon as possible.

That severity rating is one notch lower than the so-called “Drupalgeddon2” bug maintainers patched late last month. Formally indexed as CVE-2018-7600, that bug also made it possible for attackers to remotely execute code of their choice on vulnerable servers, in that case simply by accessing a URL and injecting exploit code. That issue became public shortly after the patch was released. Since then, multiple attack groups have been actively exploiting the critical flaw to install cryptocurrency miners and malware that performs denial-of-service attacks on other servers.

Read 3 remaining paragraphs | Comments

Post Author: martin

Martin is an enthusiastic programmer, a webdeveloper and a young entrepreneur. He is intereted into computers for a long time. In the age of 10 he has programmed his first website and since then he has been working on web technologies until now. He is the Founder and Editor-in-Chief of BriefNews.eu and PCHealthBoost.info Online Magazines. His colleagues appreciate him as a passionate workhorse, a fan of new technologies, an eternal optimist and a dreamer, but especially the soul of the team for whom he can do anything in the world.