A vulnerability in the Symfony HttpFoundation component tracked as CVE-2018-14773, could be exploited by attackers to take full control of the affected Drupal websites.
Maintainers at Drupal addressed the security bypass vulnerability by releasing a new version of the popular content management system, the version 8.5.6.
“The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the Symfony security advisory for the issue. The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does not use the vulnerable functionality.” reads the advisory published by Drupal.
“If your site or module uses Zend Feed or Diactoros directly, read the Zend Framework security advisory and update or patch as needed.”
Symfony HttpFoundation component is a third-party library used in the Drupal Core, the flaw affects Drupal 8.x versions before 8.5.6.
Symfony is web application framework that is being used by a lot of projects, this means that the CVE-2018-14773 vulnerability could potentially affect a large number of web applications.
The flaw is due to the Symfony’s support for legacy and risky HTTP headers.
“Support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a user to access one URL but have Symfony return a different one which can bypass restrictions on higher level caches and web servers.” reads the security advisory published by Symfony.
“The fix drops support for these two obsolete IIS headers: X-Original-URL and X_REWRITE_URL.” reads the security advisory published Symfony.
A remote attack can trigger the flaw by using specially crafted ‘X-Original-URL’ or ‘X-Rewrite-URL’ HTTP header value.
According to the security advisory published by Symfony, the version 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3 addressed the flaw.
The Drupal maintainers also found a similar issue affecting the Zend Feed and Diactoros libraries used in the Drupal Core. The libraries are affected by an ‘URL Rewrite vulnerability,’ anyway the Drupal team confirmed that the Drupal Core does not use the vulnerable functionality.
Administrators of websites that use Zend Feed or Diactoros directly need to patch them as soon as possible.
Drupal administrators need to patch their installs urgently before hackers will start exploiting the CVE-2018-14773 flaw.