In April of this year, attackers began exploiting two critical vulnerabilities in Drupal, a common open source website content-management system. The vulnerabilities were dubbed Drupalgeddon2 (CVE-2018-7600) and Drupalgeddon3 (CVE-2018-7602). This month, a new flaw was recently discovered in Drupal, this time residing in Symfony HttpFoundation, a component of a third party library used in Drupal Core. CVE-2018-14773, which is how it is the new CVE assigned for this bug, was found to be affecting Drupal 8.x versions before 8.5.6.
Symfony released an advisory, explaining how the flaw originates from the component’s support for legacy IIS header. As a trigger, a remote attacker would have just to employ specially crafted “X-Original-URL” or an “X-Rewrite-URL” HTTP request header. This would allow to override the path in the request URL, thus accessing a different URL which leads to restrictions’ bypass.
According to the advisory the vulnerability was patched in the versions 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3 of the Symfony HttpFoundation component, while Drupal has also fixed the issue in the 8.5.6 version.
The Drupal team also warned of a similar vulnerability affecting the Zend Feed and Diactoros libraries included in Drupal Core, dubbed ‘URL Rewrite vulnerability’. However, Drupal confirmed they do not use the vulnerable functionality, but still recommends to fix it on sites and modules directly utilizing either library.
Proficio Threat Intelligence Recommendations:
- Update your vulnerable site with the latest patch, available at symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers or drupal.org/SA-CORE-2018-005
- Administrators of websites using the Zend Feed or Diactoros directly are advised to patch the ‘URL Rewrite vulnerability’, by reading the Zend Framework security advisory available at framework.zend.com/security/advisory/ZF2018-01
General Information – Click Here