A new critical Remote Code Execution vulnerability in Drupal core was published. This new vulnerability is similar to CVE-2018-7600, also known as “Drupalgeddon 2”. It was found that the sanitation function that was added to address the “Drupalgeddon 2” vulnerability is not covering the case where a parameter contains a path that may be parsed by Drupal’s Forms API. Such case was found when deleting a node in Drupal (a Drupal node can be any content submitted to the site such as Article, page, etc). When submitting the node delete request, Drupal passes a “destination” parameter with a URL to redirect to when the deletion process finishes and this is where an attacker can inject his payload.

Although the vulnerability was classified by Drupal as “Highly Critical”, to exploit this vulnerability the attacker is required to have permission for at least deleting content from the vulnerable Drupal site.

Figure 1: Node deletion request attempting to exploit CVE-2018-7602

The patch submitted by Drupal’s developers added the “checkDestination” function to the “RequestSanitizer.php” file that checks if a “destination” parameter exists in the request and checks whether it contains dangerous values such as array keys starting with “#” (e.g. “http://URL/?destination=URL?param[#]=”). if it finds such dangerous values, it removes the “destination” parameter from the request.

Figure 2: RequestSanitizer.php github commit fixing the vulnerability.

Mitigating the vulnerability with BIG-IP ASM

BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by the existing “Drupalgeddon 2” signature.

Figure 3: Exploit blocked with attack signature 200004440