A new vulnerability has been discovered, CVE-2018-14773, that affects Drupal, the popular open-source content management system. More specifically, the vulnerability resides in a component of a third-party library called Symfony Http Foundation component. The component is part of Drupal Core, with Drupal 8.x versions affected prior to version 8.5.6.
Official Description of CVE-2018-14773
Support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a user to access one URL but have Symfony return a different one which can bypass restrictions on higher level caches and web servers.
It should also be noted that, since Symfony, the web application framework with a set of PHP components, is being used by a lot of projects, the flaw could potentially put many web applications at risk of hacking. Remote attackers could exploit the flaw via a specially crafted ‘X-Original-URL’ or ‘X-Rewrite-URL’ HTTP header value, which overrides the path in the request URL and could sidestep access restrictions. As a result, the target system could render a different URL.
Fortunately, CVE-2018-14773 has been fixed in Symfony version 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3. Drupal has also patched the flaw in its latest version Drupal 8.5.6.
CVE-2018-14773 Аlso Found in in the Zend Framework
The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core, researchers warned. Please note that Drupal core doesn’t use the vulnerable functionality. However, if a site or module uses Zend Feed or Diactoros directly, the admin of the site should refer to the Zend Framework security advisory.
Drupal was recently criticized due to a number of critical security issues which researchers dubbed Drupalgeddon.
In April, another Drupalgeddon remote code execution bug was discovered in the content management system. Identified as CVE-2018-7602, the highly critical vulnerability affected Drupal versions 7.x and 8.x. The bug was actively exploited in the wild.