file system

Assessment of May 8 Drupal Security update SA-CORE-2019-007

By John Locke on May 8, 2019
ask freelock icon
Ask Freelock

New versions of Drupal core dropped today, to fix a file handling issue.

After assessing the patches, statements, and risks associated with this update, we have decided this is an important update to apply, but not urgent for most of the sites we manage.

Exploitation of the flaw takes two things:

  • The ability to upload a malicious file with "PHAR" encoding embedded -- note this could masquerade as an otherwise innocent file such as a graphics file
  • The ability to pass a file path including the "phar://" stream wrapper prefix to a filesystem command in the code.

The Drupal security team hints that this requires some level of administrative access.

We are updating all of our client sites through our normal testing pipeline over the next few days, prioritizing any sites that allow untrusted user uploads.

If your site is on our Protection Plan, allows user uploads, and you have not received a release notification by the end of the day, please reply to our security notice and let us know, and we will expedite the updates to your site!

On another note, our take on this vulnerability is that it is a pretty fundamental issue with PHP, with a lot of different ways an exploit might happen. Drupal is really good in this area in that it has a file management API which most contributed modules use, which provides a central place to put in protection for this kind of attack. This greatly helps the entire Drupal ecosystem protect against this kind of attack!

Other systems (*cough* WordPress) leave much of this up to the plugin authors. We see numerous other PHP CMSs releasing security updates for this today, with one notable absence...

For more info, see the original security advisory.

Topic

Tags

ask freelock icon
Ask Freelock

Comments

Drupal or Wordpress or Joomla? Security has always been an issue. It's good to have someone monitoring and fixing vulnerabilities.

Add new comment

The content of this field is kept private and will not be shown publicly.
About text formats

Filtered HTML

  • Web page addresses and email addresses turn into links automatically.
  • Allowed HTML tags: <a href hreflang> <em> <strong> <blockquote cite> <cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h1> <h2 id> <h3 id> <h4 id> <h5 id> <p> <br> <img src alt height width>
  • Lines and paragraphs break automatically.

Drupal Canvas — Block HTML (locked)

  • Allowed HTML tags: <strong> <em> <u> <a href> <p> <br> <ul> <ol> <li>

Drupal Canvas — Inline HTML (locked)

  • Allowed HTML tags: <strong> <em> <u> <a href>

More Like This

Code monster
🕑Mar 29, 2018 🖋John Locke 💬3

Drupalgeddon2: Should I worry about critical security updates?

No, you should not. You should let us worry about them, and go back to your business.

Seriously, we're getting questions from all kinds of people about whether this matters. I'm a bit surprised that there is any question about that. Would you be concerned if your top salesperson was selling for somebody else? If your cashiers were jotting down credit card numbers when they charged a card? If your office became a well-known spot for illicit drug or gun dealers? If your office had a bunch of scammers squatting and running a pyramid scheme? If your confidential client information could be revealed as easily as using a bic pen on an old Kryptonite lock?

Bic Pen vs Kryptonite Lock

We've seen some variation of every single one of those scenarios. And all of them are possible with a remote code execution flaw in a web application, like yesterday's Drupal security vulnerability.

And yet people still

ask freelock icon
Ask Freelock
Meltdown
🕑Jan 15, 2018 🖋John Locke 💬0

Meltdown notes

The Meltdown vulnerability leaked out into public news a full week before patches were available for many distributions. When patches did become available, sometimes the patch caused further trouble.

dev corner icon
Dev Corner
Meltdown in action
🕑Jan 11, 2018 🖋John Locke 💬1

The Spectre of a Meltdown

The news was supposed to come out Tuesday, but it leaked early. Last week we learned about three variations of a new class of attacks on modern computing, before many vendors could release a patch -- and we come to find out that the root cause may be entirely unpatchable, and can only be fixed by buying new computers.

Today Microsoft released a patch -- which they had to quickly pull when they discovered that it crashed computers with AMD chips.

Essentially Spectre and Meltdown demonstrate a new way of attacking your smartphone, your laptop, your company's web server, your desktop, maybe even your tv and refrigerator.

Meltdown - Animated
Meltdown in Action

This all sounds dreadfully scary. And it is... but don't panic! Instead, read on to learn how this might affect you, your website, and what you can do to prevent bad things from getting worse.

sustainable business icon
Sustainable/Open Business