Drupal, the popular open-source content management system, has released a new version of its software to patch a security bypass vulnerability that could allow a remote attacker to take control of the affected websites.
The vulnerability, tracked as CVE-2018-14773, resides in a component of a third-party library, called Symfony HttpFoundation component, which is being used in Drupal Core and affects Drupal 8.x versions before 8.5.6.
Since Symfony—a web application framework with a set of PHP components—is being used by a lot of projects, the vulnerability could potentially put many web applications at risk of hacking.
Symfony Component Vulnerability
According to an advisory released by Symfony, the security bypass vulnerability originates due to Symfony’s support for legacy and risky HTTP headers.
“Support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a user to access one URL but have Symfony return a different one which can bypass restrictions on higher level caches and web servers,” Symfony said.
A remote attack can exploit it with a specially crafted ‘X-Original-URL’ or ‘X-Rewrite-URL’ HTTP header value, which overrides the path in the request URL to potentially bypass access restrictions and cause the target system to render a different URL.
The vulnerability has been fixed in Symfony version 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3, and Drupal has patched the issue in its latest version 8.5.6.
The same Flaw Exists in Zend Framework
Besides Symfony, the Drupal team found that a similar vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal Core, which they named ‘URL Rewrite vulnerability.’
However, the popular CMS said Drupal Core does not use the vulnerable functionality, but recommended users to patch their your website, if their site or module uses Zend Feed or Diactoros directly.
Drupal powers millions of websites and unfortunately, the CMS had recently been under active attacks since after the disclosure of a highly critical remote code execution vulnerability, dubbed Drupalgeddon2.
Therefore, before hackers started exploiting the new flaw to take control of your website, you are highly recommended to update your sites as soon as possible.