module
Drupal RESTful Web Services unserialize() RCE
| Disclosed | Created |
|---|---|
| 2019-02-20 | 2019-03-19 |
Disclosed
2019-02-20
Created
2019-03-19
Description
This module exploits a PHP unserialize() vulnerability in Drupal RESTful
Web Services by sending a crafted request to the /node REST endpoint.
As per SA-CORE-2019-003, the initial remediation was to disable POST,
PATCH, and PUT, but Ambionics discovered that GET was also vulnerable
(albeit cached). Cached nodes can be exploited only once.
Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify users of
this alternate vector.
Drupal
Web Services by sending a crafted request to the /node REST endpoint.
As per SA-CORE-2019-003, the initial remediation was to disable POST,
PATCH, and PUT, but Ambionics discovered that GET was also vulnerable
(albeit cached). Cached nodes can be exploited only once.
Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify users of
this alternate vector.
Drupal
Authors
Jasper Mattsson
Charles Fol
Rotem Reiss
wvu wvu@metasploit.com
Charles Fol
Rotem Reiss
wvu wvu@metasploit.com
Platform
PHP,Unix
Architectures
php, cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.