Admins

now browsing by tag

 
 

Drupal Warns Web Admins to Update CMS Sites to Patch a Critical Flaw

Source: National Cyber Security – Produced By Gregory Evans

drupal website hacking

If you haven’t recently updated your Drupal-based blog or business website to the latest available versions, it’s the time.

Drupal development team yesterday released important security updates for its widely used open-source content management software that addresses a critical and three “moderately critical” vulnerabilities in its core system.

Considering that Drupal-powered websites are among the all-time favorite targets for hackers, the website administrators are highly recommended to install the latest release Drupal 7.69, 8.7.11, or 8.8.1 to prevent remote hackers from compromising web servers.

Critical Symlinks Vulnerability in Drupal

The only advisory with critical severity includes patches for multiple vulnerabilities in a third-party library, called ‘Archive_Tar,’ that Drupal Core uses for creating, listing, extracting, and adding files to tar archives.

The vulnerability resides in the way the affected library untar archives with symlinks, which, if exploited, could allow an attacker to overwrite sensitive files on a targeted server by uploading a maliciously crafted tar file.

Due to this, to be noted, the flaw only affects Drupal websites that are configured to process .tar, .tar.gz, .bz2, or .tlz files uploaded by untrusted users.

According to Drupal developers, a proof-of-concept exploit for this vulnerability already exists and considering the popularity of Drupal exploits among hackers, you may see hackers actively exploiting this flaw in the wild to target Drupal websites.

Moderately Critical Drupal Vulnerabilities

Besides this critical vulnerability, Drupal developers have also patched three “moderately critical” vulnerabilities in its Core software, brief details of which are as follows:

  • Denial of Service (DoS): The install.php file used by Drupal 8 Core contains a flaw that can be exploited by a remote, unauthenticated attacker to impair the availability of a targeted website by corrupting its cached data.
  • Security Restriction Bypass: The file upload function in Drupal 8 does not strip leading and trailing dot (‘.’) from filenames, which can be used by an attacker with file upload ability to overwrite arbitrary system files, such as .htaccess to bypass security protections.
  • Unauthorized Access: This vulnerability exists in Drupal’s default Media Library module when it doesn’t correctly restrict access to media items in certain configurations. Thus, it could allow a low-privileged user to gain unauthorized access to sensitive information that is otherwise out of his reach.

According to the developers, affected website administrators can mitigate the access media bypass vulnerability by unchecking the “Enable advanced UI” checkbox on /admin/config/media/media-library, though this mitigation is not available in 8.7.x.

Web Application Firewall

All the above “moderately critical” vulnerabilities have been patched with the release of Drupal versions 8.7.11 and 8.8.1, and at the time of writing, no proof-of-concept for these flaws have been made available.

Since a proof-of-concept exists for the critical Drupal vulnerability, users running vulnerable versions of Drupal are highly recommended to update their CMS to the latest Drupal core release as soon as possible.

The Original Source Of This Story: Source link

The post Drupal Warns Web Admins to Update CMS Sites to Patch a Critical Flaw appeared first on National Cyber Security.

View full post on National Cyber Security

Watch Out IT Admins! Two Unpatched Critical RCE Flaws Disclosed in rConfig

Source: National Cyber Security – Produced By Gregory Evans

rConfig network configuration management vulnerability

If you’re using the popular rConfig network configuration management utility to protect and manage your network devices, here we have an important and urgent warning for you.

A cybersecurity researcher has recently published details and proof-of-concept exploits for two unpatched, critical remote code execution vulnerabilities in the rConfig utility, at least one of which could allow unauthenticated remote attackers to compromise targeted servers.

Written in native PHP, rConfig is a free, open source network device configuration management utility that allows network engineers to configure and take frequent configuration snapshots of their network devices.

According to the project website, rConfig is being used to manage more than 3.3 million network devices, including switches, routers, firewalls, load-balancer, WAN optimizers.

What’s more worrisome? Both vulnerabilities affect all versions of rConfig, including the latest rConfig version 3.9.2, with no security patch available at the time of writing.

Discovered by Mohammad Askar, each flaw resides in a separate file of rConfig—one, tracked as CVE-2019-16662, can be exploited remotely without requiring pre-authentication, while the other, tracked as CVE-2019-16663, requires authentication before its exploitation.

  • Unauthenticated RCE (CVE-2019-16662) in ajaxServerSettingsChk.php
  • Authenticated RCE (CVE-2019-16663) in search.crud.php

In both cases, to exploit the flaw, all an attacker needs to do is access the vulnerable files with a malformed GET parameter designed to execute malicious OS commands on the targeted server.

rConfig vulnerability

As shown in the screenshots shared by the researcher, the PoC exploits allow attackers to get a remote shell from the victim’s server, enabling them to run any arbitrary command on the compromised server with the same privileges as of the web application.

Meanwhile, another independent security researcher analysed the flaws and discovered that the second RCE vulnerability could also be exploited without requiring authentication in rConfig versions prior to version 3.6.0.

“After reviewing rConfig’s source code, however, I found out that not only rConfig 3.9.2 has those vulnerabilities but also all versions of it. Furthermore, CVE-2019-16663, the post-auth RCE can be exploited without authentication for all versions before rConfig 3.6.0,” said the researcher, who goes by online alias Sudoka.

Askar responsibly reported both vulnerabilities to the rConfig project maintainers almost a month back and then recently decided to release details and PoC publicly after the maintainers failed to acknowledge or respond to his findings.

If you are using rConfig, you are recommended to temporarily remove it from your server until security patches arrive.

The Original Source Of This Story: Source link

The post Watch Out IT Admins! Two Unpatched Critical RCE Flaws Disclosed in rConfig appeared first on National Cyber Security.

View full post on National Cyber Security