Drupal Core Remote Code Execution Vulnerability via RESTful Web Services

A remote code execution vulnerability exists in Drupal Core versions 8.5.x prior to 8.5.11 and 8.6.x prior to 8.6.10. Certain field types fail to adequately sanitize data from non-form sources, which can lead to arbitrary PHP code execution. This vulnerability is triggered when the Drupal 8 core RESTful Web Services module is enabled and allows PATCH or POST requests, or when another web services module, such as JSON:API in Drupal 8 or Services or RESTful Web Services in Drupal 7, is active.

Impact

Exploitation of this vulnerability allows for arbitrary PHP code execution on the server.

Reproduction

To reproduce this vulnerability, first ensure that a vulnerable version of Drupal is running with the RESTful Web Services module enabled, allowing PATCH or POST requests. Then, send a request to the REST endpoint with a serialized property that, when unserialized, executes a PHP command. This can be done using a tool like PHPGGC to generate the payload, which exploits the vulnerability by leveraging the unserialize() function in PHP.

Remediation

Users of Drupal 8.6.x should upgrade to Drupal 8.6.10. Those on Drupal 8.5.x or earlier should upgrade to Drupal 8.5.11. For Drupal 7, no core update is required, but several contributed modules do need updates.