Call us today on: +44 (0)203 88 020 88
SecureTeamSecureTeamSecureTeamSecureTeam
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us

News

Home  >  News  >  Vulnerabilities  >  Drupal vulnerability affects a million sites
NextPrevious

Drupal vulnerability affects a million sites

News, Vulnerabilities | 4 December, 2020 | 0

A vulnerability in the Drupal web content management system can be exploited to allow arbitrary code execution, affecting almost a million websites.

A security advisory from Drupal describes how this critical vulnerability can be exploited to perform arbitrary execution of PHP code.  Security patches are available for Drupal versions 7, 8 and 9.

The problem exists within the PEAR Archive_Tar third party library which Drupal uses to decompress certain file types (.tar,.tar.gz, .bz2 and .tlz).   As a mitigation, system administrators can configure Drupal not to accept these file types until the patches have been applied.

Any other PHP applications that use the PEAR Archive_Tar library will be similarly vulnerable until the updated library is installed.  The vulnerability is described in detail in the problem report on GITHub which covers CVE-2020-28948 and CVE-2020-28949.

Whether or not you use Drupal, this problem highlights a risk of using third party libraries in your software projects – they require careful monitoring to ensure any vulnerabilities discovered in the library are promptly applied to your own systems in order to resolve the security vulnerability.

Security Managers are advised to ensure dependent software libraries which are imported into in-house developed systems are monitored for inclusion in monthly patch cycles alongside traditional applications and operating system updates.

 

Subscribe to our monthly cybersecurity newsletter
Stay up-to-date with the very latest cybersecurity news & technical articles delivered straight to your inbox
We hate spam as much as you do. We will never give your email address out to any third-party.
patching, web applications

Related Post

  • HPE patches RCE 0day in SIM software

    By Mark Faithfull

    Hewlett Packard Enterprise has released a patch to fix a critical remote code execution vulnerability in the Windows version of their System Insight Manager. The bug in the Federated Search and CMS Configuration (CVE-2020-7200) featureRead more

  • Hackers target Oracle WebLogic vulnerability

    By Mark Faithfull

    Oracle patched a vulnerability in their WebLogic server in October 2020 – eight days later working exploit code was published online and now it is being used by criminals. CVE-2020-14882 allows an attacker to performRead more

  • WordPress force updates a million sites to fix SQLi flaw

    By Mark Faithfull

    Last week an SQL injection vulnerability was discovered in the popular Loginizer plugin used by over a million WordPress sites. Such was the risk, WordPress took the unusual step of forcing updates into sites thatRead more

  • Critical SAP Vulnerability Patched

    By Mark Faithfull

    The July patch bundle from SAP includes a critical patch to resolve a vulnerability in the NetWeaver application server which could allow an unauthenticated attacker to gain unrestricted access to the SAP environment and database.Read more

  • Exchange Server RCE exploited in the wild

    By Mark Faithfull

    Microsoft has released a patch to a remote code execution vulnerability in Exchange server which is being actively targeted. CVE-2020-0688 is a flaw in the installation procedure resulting in all Exchange Servers using the same cryptographicRead more

NextPrevious

Recent Posts

  • HTML Phishing on the rise
  • Microsoft patches critical zero-day
  • NCSC offers free email security tool
  • Top 15 Most Exploited Vulnerabilities for 2021
  • NHS Targeted in Phishing Campaign

Tags

Adobe Android Apple blockchain Bluetooth Chrome Cisco credential stuffing cyber crime cyber essentials cyber security cyber security news Data Protection DDoS Dell DNS Exchange Server exim formjacking GDPR Google IoT Linux microsoft Mozilla ncsc npm patching penetration testing phishing ransomware RDP SAP security breach Security operations security testing SIEM software development Spectre supply chain attacks Sysinternals vulnerability management web applications web browsers wireless

Archives

  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • July 2018
  • June 2018
  • April 2018
  • January 2018
  • October 2017
BCS Cyber Essentials Cyber Essentials Cyber Essentials PLUS ISO 9001 ISO 27001
information. secured.
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us
SecureTeam