Drupal security release SA-CORE-2018-002 - now the dust has settled
No one seems quite sure what to call SA-CORE-2018-002, although there does seem to be a trend towards drupalgeddon2. Whatever we call it, it's here and it is every bit as scary as everyone had feared - the key lines from the update :
How difficult is it for the attacker to leverage the vulnerability? None (user visits page).
What privilege level is required for an exploit to be successful? None (all/anonymous users).
Does this vulnerability cause non-public data to be accessible? All non-public data is accessible.
Can this exploit allow system data (or data handled by the system) to be compromised? All data can be modified or deleted.
Scary stuff. The good news, it was a relatively easy fix, some manic patching later and all our clients are safe.
The patch itself is pretty straightforward; for Drupal 7 there's a new include file "request-sanitizer.inc" which is called into action early in the Drupal bootstrap. That made for a generally quick and easy update (always a blessing when updating multiple sites at 8pm!).
The contents of request-sanitizer.inc boil down to simply stripping all query string keys that start with a '#'. Obviously, there is nothing intrinsically insecure about a query string key starting with a '#', so there must be something more fundamental going on. So, the issue must be something pretty deep in Drupal.
The patch is definitely more of a workaround (removing the offending keys) rather than actually changing the code that is causing those keys to be a security issue, which right now makes it difficult to see where the actual exploit lies.
… which is probably a good thing. Because for now, it's probably most helpful for the Drupal community to avoid helping the bad guys zero in on the exploit details until we've allowed time for the majority of people to sort out their sites.
So we'll keep our suspicions of where the issue lies to ourselves for the time being. I'm sure we'll start seeing exploit attempts soon - and we will be actively monitoring logs (looking for interesting query string patterns) to see what we find ... more to follow I'm sure.