
Drupal Core – Highly Critical – Remote Code Execution - ascorbic
https://www.drupal.org/sa-core-2018-002
======
CiPHPerCoder
Mirrored patches:

Drupal 6: [https://gist.github.com/paragonie-
scott/dca4690a504a1d860575...](https://gist.github.com/paragonie-
scott/dca4690a504a1d860575041eb274eeef)

Drupal 7: [https://gist.github.com/paragonie-
scott/79ddffd734bf15a9d86b...](https://gist.github.com/paragonie-
scott/79ddffd734bf15a9d86b723d74d15572)

Drupal 8: [https://gist.github.com/paragonie-
scott/ee034dc43cbaafb9ff1c...](https://gist.github.com/paragonie-
scott/ee034dc43cbaafb9ff1cfcdda77d3240)

The actual mitigation of these patches: [https://gist.github.com/paragonie-
scott/79ddffd734bf15a9d86b...](https://gist.github.com/paragonie-
scott/79ddffd734bf15a9d86b723d74d15572#file-drupal-7-x-2018-002-patch-L91)

Explanation:
[https://twitter.com/codeincarnate/status/979080318966730753](https://twitter.com/codeincarnate/status/979080318966730753)

> Drupal uses the hash "#" at the beginning of array keys to signify special
> keys usually that lead to some type of computation. Basically you can inject
> these. See Drupal form API for example

------
snowwrestler
I love and use Drupal but this made me laugh:

[https://twitter.com/0xdade/status/979081855692500992](https://twitter.com/0xdade/status/979081855692500992)

> I messaged a former employer today about the Drupal remote code exec.

> Me: "Hey you should patch drupal today, pretty nasty remote code exec bug"

> Him: "And that's a problem? What if the remote code is better than the local
> code?"

~~~
lightlyused
Isn't that last comment that the case for most software?

------
Mojah
Mirrored the most important bits here, since the site appears to be struggling
with all traffic: [https://ma.ttias.be/drupal-core-highly-critical-remote-
code-...](https://ma.ttias.be/drupal-core-highly-critical-remote-code-
execution-sa-core-2018-002/)

------
ams6110
Drupal 6 is also affected, with no mitigation actions announced (other than
basically taking the site offline).

~~~
CiPHPerCoder
Drupal 6 patch:

[https://www.drupal.org/files/issues/2018-03-28/SA-
CORE-2018-...](https://www.drupal.org/files/issues/2018-03-28/SA-
CORE-2018-002.patch)

Mirrored:

[https://gist.github.com/paragonie-
scott/dca4690a504a1d860575...](https://gist.github.com/paragonie-
scott/dca4690a504a1d860575041eb274eeef)

~~~
ams6110
Thanks!

