If you do not require or expect redirects to be followed, one should simply disable redirects all together. Users unable to upgrade may consider an alternative approach to use your own redirect middleware, rather than ours. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any `Cookie` header manually added to the initial request would not be stripped. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` header on. In affected versions the `Cookie` headers on requests are sensitive information. Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security protect end users and businesses from these threats by detecting and blocking malicious files and all related malicious URLs.Guzzle is an open source PHP HTTP client. Trend Micro™ OfficeScan™ with XGen™ endpoint security has Vulnerability Protection that shields endpoints from identified and unknown vulnerability exploits even before patches are even deployed. Trend Micro Deep Security and Trend Micro™ Vulnerability Protection also provide virtual patching that protects servers and endpoints from threats that abuse vulnerabilities in critical applications or websites such as those that use Drupal. Users are also advised to upgrade to the latest Drupal version, which patches this issue.Ī proactive, multilayered approach to security is key against threats that exploit vulnerabilities - from the gateway, endpoints, networks, and servers. Disabling all web services modules or blocking all requests to them that use the aforementioned methods should be sufficient to prevent this attack. Trend Micro SolutionsĪll REST API endpoints in the applicable Drupal versions are potentially vulnerable, with the following HTTP methods: GET, PUT, PATCH, and POST. The specific payload used in the serialization makes use of a gadget chain via Guzzle, a PHP HTTP client, and was generated via PHPGGC (PHP Generic Gadget Chains), as pointed out by other researchers. Attack variations can be easily performed with other API endpoints All executed commands will inherit the privileges of the user running Drupal.įigure 3. In the response, you can see that we have successfully executed ‘cat /etc/passwd’ on the target, although this command could be trivially changed to anything, including downloading a web shell or establishing persistence on the target via malware or other means. The serialized content is processed even if the user is not authenticatedįigure 2. Knowing these factors, an attacker can submit a crafted link that references a type of shortcut and contains serialized PHP in the ‘options’ field for the link.įigure 1. In Drupal, a shortcut is a way of visually displaying a quick link to a frequently used page via a toolbar or menu item. Issues like injection, cross-site scripting, session management, cross-site request forgeries, and others, all have standard solutions in the Drupal API. The Shortcut class then makes use of the link property, which is what ultimately exposes the deserialization to user controlled data. How Drupal addresses common security vulnerabilities Drupal's API and default configuration are designed to be secure when used in their default modes. Inside the LinkItem class is a single line that performs deserialization of options supplied for the link property. In particular, the LinkItem class (a subclass of the FieldItemBase class) defines the link field, which defines the structure of links and associated fields (descriptions, etc.). This vulnerability is specifically in the REST API, which includes a deserialization module. All Drupal 7 sites on Windows web servers. However, in this case we have chosen to apply Drupal Steward security coverage to test our processes. Because this vulnerability is not mass exploitable, your Steward partner may respond by monitoring-only, rather than enforcing a new WAF rule. Specifically, the vulnerability requires that the following preconditions are met: This advisory is covered by Drupal Steward. The vulnerability affects a substantial portion of Drupal installations, since it impacts the widely installed RESTful Web Services (rest) module. The flaw is categorized as highly critical, exposing vulnerable installations to unauthenticated remote code execution (RCE). The content management framework Drupal recently fixed a vulnerability ( CVE-2019-6340) in their core software, identified as SA-CORE-2019-003.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |