Free exploit for Drupal 7 and Synapse Roblox has been discovered by a new research team that used the new Drupal 7 codebase to access the exploit.
The researchers say they’ve identified several flaws in Drupal’s code that make the exploit vulnerable to a wide range of different attack vectors.
“There are some things that were pretty easy to find, like the ability to perform arbitrary SQL injections on the site, or to redirect to an arbitrary URL on the server,” lead researcher Matthew Heimbach told Motherboard.
“These were pretty obvious and hard to find.”
The researchers also found a new feature in Drupal, which they call “synapseroblox,” that can “open the server’s file system and read data from arbitrary remote servers.”
This feature, which the researchers called a “synactroblook,” allows attackers to create an empty Drupal 7 site that can then be accessed by an attacker’s compromised server.
“The problem is that synapseroboxto isn’t implemented by the core Drupal, so it’s not exposed by the Drupal security team,” Heimbatch explained.
“This makes it vulnerable to attack vectors that are easily exploitable by a variety of people, including the developer.”
The new exploit can be found at: https://drupal-security.org/modules/drupal7-security-exploits-latest-release/free-exploit-synapse-roblOX-explosion-explosive-scheme-0.2.0-rc1-drupal.
The Drupal 7 vulnerability is the latest security flaw to hit the Drupal site hosting platform in 2017, and is the second to be publicly disclosed.
“In addition to this vulnerability, we also discovered a new vulnerability in Drupal 8, Drupal 7, and SynactroboX,” Heimbach said.
“While this isn’t the first time a vulnerability has been exposed on Drupal 7 that allows an attacker to execute arbitrary code, this particular vulnerability has significant potential to be exploited in more than one way.
This vulnerability allows for remote code execution via a PHP file that has been modified in Drupal by the attacker.”
The Drupal security researchers have identified six Drupal 7 vulnerabilities, but only three of those have been disclosed publicly yet.
Heimbache and his team have identified three more Drupal 7-related vulnerabilities, and they’re working on a Drupal 8-related vulnerability.
This isn’t yet the end of the Drupal vulnerabilities’ release cycle, however.
In the coming weeks, the Drupal team will continue to work on fixing more Drupal vulnerabilities.
“We are still actively working on Drupal security updates, but in the coming days we will start rolling out more fixes for Drupal 8 vulnerabilities,” Heifach said.
In other words, the researchers say it’s a good time to be on the lookout for Drupal’s upcoming security updates.
“A lot of the vulnerabilities are relatively easy to identify and can be easily mitigated with existing configuration settings, so there’s no need to take any drastic action at this point,” Heibeach added.
“Drupal 7 is a highly secure platform, and we will continue working to improve security as it becomes available.”
More about Drupal, Drupal Security, Drupal, security, Drupal