Drupal Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Drupal core versions prior to 7.58, 8.0.x prior to 8.3.9, 8.4.x prior to 8.4.6, and 8.5.x prior to 8.5.1. This vulnerability allows remote attackers to execute arbitrary code, potentially leading to a complete compromise of the affected Drupal site. The issue arises from insufficient input sanitation in the Form API, which enables attackers to inject malicious payloads that are executed without authentication.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the affected Drupal site. This could lead to a full compromise of the site and potentially the underlying server.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'user/register' endpoint with an injected renderable array in the 'mail' field. This can be done by exploiting the AJAX file upload functionality, which processes the injected payload without proper sanitation. Once the payload is executed, it can be used to execute commands on the server or gain unauthorized access to administrative accounts.

Remediation

Users are advised to upgrade to Drupal 7.58, 8.3.9, 8.4.6, or 8.5.1. For Drupal 6, which is no longer supported, consider contacting a D6LTS vendor.