Casa > cibernético Notícias > CVE-2019-6340: Uma nova falha altamente crítica em Drupal
CYBER NEWS

CVE-2019-6340: Uma nova falha altamente crítica em Drupal

Uma nova vulnerabilidade altamente crítica, identificado como CVE-2019-6340, foi apenas descoberto em Drupal, e, felizmente, ele já está corrigido na versão mais recente do sistema de gerenciamento de conteúdo.

Se você estiver executando o Drupal 7, Não é necessária atualização do núcleo, but you may need to update contributed modules if you are using an affected module. We are unable to provide the list of those modules at this time, Drupal said in the security advisory.




CVE-2019-6340 Technical Resume

CVE-2019-6340 is a remote code execution flaw in Drupal Core that could lead to arbitrary PHP code execution in specific cases. Not enough technical details are available about the vulnerability. What is known is that the flaw is triggered because some field types do not properly sanitize data from non-form sources. The bug affects Drupal 7 and Drupal 8, a equipe disse.

A website based on Drupal is only exploitable in case the RESTful Web Services (descansar) module is enabled allowing PATCH or POST requests. The flaw is also triggered when another web service module is enabled.

How can CVE-2019-6340 be mitigated?

To mitigate the vulnerability, affected users can disable all web services modules, or configure their web server(s) to not allow PUT/PATCH/POST requests to web services resources. Keep in mind that web services resources may be available on multiple paths depending on the configuration of the corresponding server(s).

For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the “q” query argument. For Drupal 8, paths may still function when prefixed with index.php/, o consultor disse.

relacionado: [wplinkpreview url =”https://sensorstechforum.com/cve-2018-7600-drupal-bug-used-new-attack/”]CVE-2018-7600 Bug Drupal Usado em novo ataque

Another remote code execution bug in Drupal, called Drupalgeddon2, was exploited in October last year. An unknown criminal collective was taking advantage of an old security bug tracked in the CVE-2018-7600 advisory which was previously patched in 2017. This intrusion attempt was called the Drupalgeddon2 attack and according to the available research, it allowed hackers to exploit vulnerable sites and take total control, including access to private data.

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerente de conteúdo que está com SensorsTechForum desde o início do projeto. Um profissional com 10+ anos de experiência na criação de conteúdo envolvente. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:
Twitter

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...