Drupal security release SA-CORE-2018-002 - now the dust has settled

An article from ComputerMinds - Building with Drupal in the UK since 2005
29th Mar 2018

Mike Dixon

Senior Mind
Hey, you seem to look at this article a lot! Why not Bookmark this article so you can find it easily in the future?

No one seems quite sure what to call SA-CORE-2018-002, although there does seem to be a trend towards drupalgeddon2.  Whatever we call it, it's here and it is every bit as scary as everyone had feared - the key lines from the update :

How difficult is it for the attacker to leverage the vulnerability? None (user visits page).
What privilege level is required for an exploit to be successful? None (all/anonymous users).
Does this vulnerability cause non-public data to be accessible? All non-public data is accessible.
Can this exploit allow system data (or data handled by the system) to be compromised? All data can be modified or deleted.

Scary stuff.  The good news, it was a relatively easy fix, some manic patching later and all our clients are safe.

The patch itself is pretty straightforward; for Drupal 7 there's a new include file "request-sanitizer.inc" which is called into action early in the Drupal bootstrap. That made for a generally quick and easy update (always a blessing when updating multiple sites at 8pm!).

The contents of request-sanitizer.inc boil down to simply stripping all query string keys that start with a '#'. Obviously, there is nothing intrinsically insecure about a query string key starting with a '#', so there must be something more fundamental going on. So, the issue must be something pretty deep in Drupal. 

The patch is definitely more of a workaround (removing the offending keys) rather than actually changing the code that is causing those keys to be a security issue, which right now makes it difficult to see where the actual exploit lies.

… which is probably a good thing. Because for now, it's probably most helpful for the Drupal community to avoid helping the bad guys zero in on the exploit details until we've allowed time for the majority of people to sort out their sites.

So we'll keep our suspicions of where the issue lies to ourselves for the time being. I'm sure we'll start seeing exploit attempts soon - and we will be actively monitoring logs (looking for interesting query string patterns) to see what we find ... more to follow I'm sure.

Previous article

Preparing for PSA-2018-001
Mike Dixon
Senior Mind

Next up

Fixing Drupal, really quickly
James Williams
Senior Developer

Hi, thanks for reading

ComputerMinds are the UK’s Drupal specialists with offices in Bristol and Coventry. We offer a range of Drupal services including Consultancy, Development, Training and Support. Whatever your Drupal problem, we can help.