Some vulnerabilities in open source components just never seem to go away, even long after a fix has been issued.
Dubbed “Drupalgeddon 2.0”, the vulnerability in the popular content management system (CMS) Drupal continues to leave many of its users exposed, despite having been reported back in March.
A report in June noted that upwards of 115,000 were believed to still be vulnerable to the risky component with organizations having failed to implement the fix. Many organization ranging from large corporations to universities use Drupal to manage the content on their websites.
As a remote execution attack, the CVE-2018-7600 vulnerability allows attackers to make unauthorized changes to the target’s web content. While some of the websites who have had their Drupal components hacked have been turned into unwitting cryptocurrency miners using tools like Coinhive, there is a much larger concern that attackers could compromise the integrity of their content.
In some cases they could choose to post offensive content to damage their victims or even delete their posts. However what is far more concerning is the potential to make changes to existing content, violating the integrity of the content on the target’s website. Should such an attack occur, it could harm the victim’s reputation or worse.
Drupalgeddon 2.0: Par for the Course, Unfortunately
The fact that the Heartbleed vulnerability, which was found in the popular OpenSSL cryptographic library back in April of 2014, is still present in so many applications is not a promising sign that the industry is likely to be any better at patching the Drupal vulnerability anytime soon.
Even following the massive breach of Equifax last year that led to the theft of over 145.9 million personally identifiable information records, it appears that many organizations have failed to patch. A report from (Read more...)
*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Gabriel Avner. Read the original post at: https://resources.whitesourcesoftware.com/blog-whitesource/why-drupalgeddon-2-0-may-still-be-a-threat-to-your-website