Drupalgeddon 2.0


Drupal one of the most popular CMS (Content Management System) being used today by Private, Government and other sectors was recently hit by new exploit this week here in the Philippines and around the globe this affects over 1 million sites! Drupal vulnerability (CVE-2018-7600) also known as “Drupalgeddon2“. Drupalgeddon is an unauthenticated remote code execution (RCE) vulnerability and was give a severity score of 21 out of 25 in short, this is a vulnerability with High-Criticality and Impact.

This affects Drupal running the version < 7.58 / < 8.3.9 / < 8.4.6 / and < 8.5.1. This exploit PoC  allows any attacker to upload backdoor or malicious scripts on vulnerable sites. Researchers from Checkpoint and Drupal published a technical analysis report that basically says “Drupal had insufficient input sanitation on Form API (FAPI) AJAX requests. As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure.” Although Patch was released March 28, 2018 many sites were unable to apply the security update and are left vulnerable.

Meanwhile an article from Manila Bulletin listed some Government, Academe, Private websites here in the Philippines that were possibly compromised using the reported vulnerability. It would not be a big surprise if there are more sites compromised, Drupal is known for having simplistic yet robust capabilities on wide range of application and more than that it is free-to-use and open-source.

For those who are wondering how attackers finds their target: In most cases attackers use search engines and a technique called “dorking” “google dork” for enumerating websites using its identifiable signatures or certain features. Another is by looking-up lists or portfolio of some website/application developers for instance Drupal is listing countries and organizations that are using the open-source CMS https://groups.drupal.org/government-sites. Botnets are also being utilized to launch attacks on a wide-scale approach for example attackers can launch attacks on IP blocks or target specific Continent or Country.

For example:

  • site:ph inurl:”/user/register”
  • site:ph “Powered by drupal”

Another is by using Shodan and Censys:

Shodan.io is a search engine for Internet-connected devices.
Censys.io is a platform that helps information security practitioners discover, monitor, and analyze devices that are accessible from the Internet.

It was unsurprisingly observed that there were large-scale or massive exploitation done using botnets to abuse the vulnerable machines. Some machines were targeted for crypto-currency mining. A successful compromisation allows attackers to run crypto-mining scripts or to inject small javascript code that executes on the front-end (visitor’s browser) of the affected website. The script basically uses your computer’s computing power as shown below.

Drupal Mining
Injected Mining Script on a compromised Drupal website.
CPU utilization hits 100% after mining script execution.

Its been weeks since the patch was released and yet many are still vulnerable, One of the challenges of patching this vulnerability is it requires manual installation, updating using the Dashboard via update.php is not enough. In the absence of the patch if using such as Cloudflare’s, Sucuri’s WAF they are able to block/mitigate the attack. It is also possible to mitigate the attack using rule-based approach on your webserver’s firewall for example on Apache you can block certain queries using .htaccess.

Solution from Drupal:

Upgrade to the most recent version of Drupal 7 or 8 core.

  • If you are running 7.x, upgrade to Drupal 7.58. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
  • If you are running 8.5.x, upgrade to Drupal 8.5.1. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)

Drupal 8.3.x and 8.4.x are no longer supported and we don’t normally provide security releases for unsupported minor releases. However, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.

Your site’s update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x. Please take the time to update to a supported version after installing this security update.

For further reading Drupal published a guide if your site was hacked Your Drupal site got hacked. Now what?’


Even if your done patching your system, we strongly recommend that you also do forensics to further secure your system and check if there are backdoors hidden in your machines. This vulnerability is yet another good reason why security shouldn’t be taken for granted.

For inquiries please feel free to contact us: [email protected] (+63) 917 538 6372

Image from: events.drupal.org