Web application security testing experts report that sites running Drupal, Joomla or TYPO3 are exposed to multiple variants of cyberattacks due to a vulnerability that hackers might exploit to run malicious code; patches to fix this bug have just been released, so web site administrators are encouraged to install corrections immediately.
The vulnerability lies in PharStreamWrapper, an open source PHP component developed by TYPO3. The vulnerability, tracked as CVE-2019-1183, exists due to a path traversal error that allows hackers to replace a legitimate phar file with a malicious one in a website. These files are used to distribute a complete PHP application or library in a single file.
The Drupal team launched a security alert in recent days, stating that the vulnerability, rated as serious, affects the CMS in a moderately critical manner, although web application security testing specialists do not consider it to be close to the severity of the remote execution vulnerability known as “Drupalgeddon”. However, experts ask administrators not to ignore updates.
“We have tried to contact Drupal to reconsider the assessment they have made of vulnerability; instead of saying that this is a ‘moderately critical’ flaw, the company should consider it a high-severity flaw”, say web application security testing specialists.
“In Drupal sites with default configurations (no plugins) a user with ‘theme manager’ rights is required, which is a high privilege. In other words, an attacker requires privileges like employees by graphic designers working on a website”.
According to the specialists from the International Institute of Cyber Security (IICS), once hackers get these privileges it is very easy to exploit the vulnerability and achieve remote code execution.
Regarding the vulnerability, Joomla developers launched a statement in which they rated it as a ‘low risk’ flaw. On the other hand, the developers of TYPO3 have not spoken about it.
According to the reports, Drupal version 8.7 must be upgraded to 8.7.1, versions 8.6 and above must be upgraded to 8.6.16, while version 7 will be updated to 7.67.
