I'm sure we'll start seeing exploit attempts soon - and we will be actively monitoring logs (looking for interesting query string patterns) to see what we find. So we'll keep our suspicions of where the issue lies to ourselves for the time being. Because for now, it's probably most helpful for the Drupal community to avoid helping the bad guys zero in on the exploit details until we've allowed time for the majority of people to sort out their sites.
#Drupal security release levels Patch
The patch is definitely more of a workaround (removing the offending keys) rather than actually changing the code that is causing those keys to be a security issue, which right now makes it difficult to see where the actual exploit lies. Obviously, there is nothing intrinsically insecure about a query string key starting with a '#', so there must be something more fundamental going on. So, the issue must be something pretty deep in Drupal. The contents of request-sanitizer.inc boil down to simply stripping all query string keys that start with a '#'.
#Drupal security release levels update
That made for a generally quick and easy update (always a blessing when updating multiple sites at 8pm!). Drupal 9.2 series: Drupal 9.2.2 All other version series, such as Drupal 8.x series prior to 8. The module doesnt sufficiently protect the libraries. The patch itself is pretty straightforward for Drupal 7 there's a new include file "request-sanitizer.inc" which is called into action early in the Drupal bootstrap. This module enables a UI to display all libraries provided by modules and themes on the Drupal site. The good news, it was a relatively easy fix, some manic patching later and all our clients are safe. What privilege level is required for an exploit to be successful? None (all/anonymous users).ĭoes this vulnerability cause non-public data to be accessible? All non-public data is accessible.Ĭan this exploit allow system data (or data handled by the system) to be compromised? All data can be modified or deleted. How difficult is it for the attacker to leverage the vulnerability? None (user visits page).
The e-mail should include: How many hours you can commit to the team per month.
Whatever we call it, it's here and it is every bit as scary as everyone had feared - the key lines from the update : 22 September 2018 The Security Team handbook page has more information about the team. No one seems quite sure what to call SA-CORE-2018-002, although there does seem to be a trend towards drupalgeddon2.
0 kommentar(er)
