BID:106647

Drupal Core Arbitrary PHP Code Execution Vulnerability

Info

Drupal Core Arbitrary PHP Code Execution Vulnerability

Bugtraq ID:	106647
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Jan 16 2019 12:00AM
Updated:	Jan 16 2019 12:00AM
Credit:	Greg Knaddison
Vulnerable:	Drupal Drupal 8.6.5 Drupal Drupal 8.6.4 Drupal Drupal 8.6.3 Drupal Drupal 8.6.2 Drupal Drupal 8.6.1 Drupal Drupal 8.5.6 Drupal Drupal 8.5.3 Drupal Drupal 8.5.2 Drupal Drupal 8.5.1 Drupal Drupal 8.5 Drupal Drupal 7.6 Drupal Drupal 7.59 Drupal Drupal 7.58 Drupal Drupal 7.57 Drupal Drupal 7.56 Drupal Drupal 7.55 Drupal Drupal 7.54 Drupal Drupal 7.52 Drupal Drupal 7.5 Drupal Drupal 7.44 Drupal Drupal 7.43 Drupal Drupal 7.42 Drupal Drupal 7.41 Drupal Drupal 7.40 Drupal Drupal 7.4 Drupal Drupal 7.39 Drupal Drupal 7.38 Drupal Drupal 7.37 Drupal Drupal 7.36 Drupal Drupal 7.35 Drupal Drupal 7.34 Drupal Drupal 7.33 Drupal Drupal 7.32 Drupal Drupal 7.31 Drupal Drupal 7.30 Drupal Drupal 7.3 Drupal Drupal 7.29 Drupal Drupal 7.28 Drupal Drupal 7.27 Drupal Drupal 7.26 Drupal Drupal 7.25 Drupal Drupal 7.24 Drupal Drupal 7.23 Drupal Drupal 7.22 Drupal Drupal 7.21 Drupal Drupal 7.20 Drupal Drupal 7.2 Drupal Drupal 7.19 Drupal Drupal 7.18 Drupal Drupal 7.17 Drupal Drupal 7.16 Drupal Drupal 7.15 Drupal Drupal 7.14 Drupal Drupal 7.13 Drupal Drupal 7.12 Drupal Drupal 7.11 Drupal Drupal 7.1

Not Vulnerable:	Drupal Drupal 8.6.6 Drupal Drupal 8.5.9 Drupal Drupal 7.62

Discussion

Drupal Core Arbitrary PHP Code Execution Vulnerability

Drupal is prone to a remote code-execution vulnerability.

An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts may result in a denial-of-service condition.

The following products are affected:

Drupal versions 8.6.x, prior to 8.6.6
Drupal versions 8.5.x prior 8.5.9
Drupal versions 7.x prior to 7.62

Exploit / POC

Drupal Core Arbitrary PHP Code Execution Vulnerability

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Solution / Fix

Drupal Core Arbitrary PHP Code Execution Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

References

Drupal Core Arbitrary PHP Code Execution Vulnerability

References:

Drupal Homepage (Drupal)
SA-CORE-2019-002: Drupal core - Critical - Arbitrary PHP code execution (Drupal)