Drupal Core Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Drupal Core versions 7.0 prior to 7.59, 8.0.0 prior to 8.4.8, and 8.5.0 prior to 8.5.3. This vulnerability exists within multiple subsystems of Drupal and allows attackers to exploit various attack vectors, potentially compromising the affected site. The vulnerability is actively being exploited in the wild.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected Drupal site, leading to a complete compromise of the site.

Reproduction

To reproduce this vulnerability, an authenticated user with permission to delete a node can exploit it by sending a crafted request that includes a payload to execute arbitrary PHP code. This can be done by first retrieving a form token from the node deletion confirmation page, then sending a request to delete a node while injecting a PHP command into the form data. Finally, the injected command is executed on the server, and the result can be retrieved by canceling an Ajax action.

Remediation

Users are advised to upgrade to Drupal 7.59, 8.5.3, or 8.4.8. For those unable to update immediately, patches are available for Drupal 7.x and 8.x, but these will only be effective if the site has already applied the fix from SA-CORE-2018-002.