New versions of Drupal core dropped today, to fix a file handling issue.
After assessing the patches, statements, and risks associated with this update, we have decided this is an important update to apply, but not urgent for most of the sites we manage.
Exploitation of the flaw takes two things:
- The ability to upload a malicious file with "PHAR" encoding embedded -- note this could masquerade as an otherwise innocent file such as a graphics file
- The ability to pass a file path including the "phar://" stream wrapper prefix to a filesystem command in the code.
The Drupal security team hints that this requires some level of administrative access.
We are updating all of our client sites through our normal testing pipeline over the next few days, prioritizing any sites that allow untrusted user uploads.
If your site is on our Protection Plan, allows user uploads, and you have not received a release notification by the end of the day, please reply to our security notice and let us know, and we will expedite the updates to your site!
On another note, our take on this vulnerability is that it is a pretty fundamental issue with PHP, with a lot of different ways an exploit might happen. Drupal is really good in this area in that it has a file management API which most contributed modules use, which provides a central place to put in protection for this kind of attack. This greatly helps the entire Drupal ecosystem protect against this kind of attack!
Other systems (*cough* WordPress) leave much of this up to the plugin authors. We see numerous other PHP CMSs releasing security updates for this today, with one notable absence...
For more info, see the original security advisory.