Drupal 6 / 7 / 8 Remote Code Execution

chris · 28 March 2018 21:39

Drupal site developers are going to have a late one tonight due to this issue:

https://www.drupal.org/sa-core-2018-002

We have just patched over two dozen sites for clients, in case it helps, following is what we did in the site root for each site.

To find the Drupal version, in the site root:

drush core-status | grep "Drupal version"

To patch the sites (you should probably to a test run with a patch --dry-run argument first):

Drupal 6.x

wget "https://www.drupal.org/files/issues/2018-03-28/SA-CORE-2018-002.patch" -O d6.patch
patch -p1 < d6.patch

Drupal 7.x

wget "https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5" -O d7.patch
patch -p1 < d7.patch

Drupal 8.x

wget "https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f" -O d8.patch
patch -p1 < d8.patch

We only had one site where we needed to manually edit files, for older Drupal versions patch fuzzing did the trick even though the target didn’t match.

Finally, don’t forget to restart apache2 or php-fpm to ensure that any compiled and cached version of the vulnerable code isn’t still being served to clients

David · 29 March 2018 07:50

Thanks Chris…how handy, just before a Bank holiday weekend.

finn · 29 March 2018 11:51

Thanks for the helpful notes Chris. Only just seen this as we were all up until past midnight last night patching all our client sites. Busy night, but all secure for now!

kawaiipunk · 29 March 2018 15:38

We only had one Drupal site to update and we were also up late applying the patch. Looked like a pretty nasty vulnerability. Good to see people were on top of it.