The developers of the open source program encouraged admins to update their security settings. They warned that it could lead to total compromise of a site if left unpatched.
Open source developers of the widely renowned CMS Drupal have advised admins of the program to immediately patch a flaw on it. The flaw allows attackers to compromise the program just by visiting any of the flawed sites.
Who is affected?
Apparently, the flaw is able to affect all the devices that are currently running the Drupal 6, Drupal 7, Drupal 8 and the Drupal project usage page. This shows that at least a million sites of these versions will be affected. The developers are openly urging any admins to quickly and actively update their software. Admins should update their systems to the Drupal 7.58 or the Drupal 8.5.1.
The company released an alert for users to work the patch last week. They warned all admins to make sure they actively give time for the updates. They warned attacks could happen at any time, in a matter of days and in some cases even in hours. Drupal, however, confirmed that fortunately there had not been any attacks as a result of the flaw.
The bug that is causing the problem has been dubbed the Drupalgeddon2. It has officially been given the identifier, CVE-2018-7600. The company has also given the bug a highly critical rating. It has also been given a risk score of 21 out of 25 using the NIST Common Misuse Scoring System. Drupal also released some patches for the unsupported Drupal 8.3x and the Drupal 8.4x. Drupal also released some patches for these for a quick solution.
Drupal also claims that the attackers are able to use the flaw trough different channels. Visitors to the various websites can all attack the affected sites. After infecting the sites, they can then gain access to them, change them and then delete the private data. In their notes, Drupal said that this gives the hackers a chance to at least various components on the Drupal site. If they were successful, then the whole site would be completely compromised.
The developers noted that only through the drastic changes to the configuration settings would help with the problem. Therefore they encourage immediately updating to the security update. In their notes, Drupal confirmed that with the security update, they could remove some of the dangerous values from the input that was provided by the user.