After scrambling to patchVulnerability-related.PatchVulnerabilitya critical vulnerability late last month , Drupal is at it again . The open source content management project has issuedVulnerability-related.PatchVulnerabilityan unscheduled security update to augment its previous patch for Drupalgeddon2 . There was also a cross-site scripting bug advisory in mid-April . The latest Drupal core vulnerability , designatedVulnerability-related.DiscoverVulnerability, SA-CORE-2018-004 and assignedVulnerability-related.DiscoverVulnerabilityCVE-2018-7602 , is related to the March SA-CORE-2018-002 flaw ( CVE-2018-7600 ) , according to the Drupal security team . It can be exploitedVulnerability-related.DiscoverVulnerabilityto take over a website 's server , and allow miscreants to steal information or alter pages . `` It is a remote code execution vulnerability , '' explained a member of the Drupal security team in an email to The Register . `` No more technical details beyond that are available . '' The vulnerability affectsVulnerability-related.DiscoverVulnerabilityat least Drupal 7.x and Drupal 8.x . And a similar issue has been foundVulnerability-related.DiscoverVulnerabilityin the Drupal Media module . In a blog post from earlier this month about the March patch , Dries Buytaert , founder of the Drupal project , observedVulnerability-related.DiscoverVulnerabilitythat all software has security issues and critical security bugs are rare . While the March bug is being actively exploitedVulnerability-related.DiscoverVulnerability, the Drupal security team says it 's unaware of any exploitation of the latest vulnerability . But it wo n't be long – those maintaining the project observed automated attacks appearing about two weeks after the SA-CORE-2018-002 notice . The fix is to upgradeVulnerability-related.PatchVulnerabilityto the most recent version of Drupal 7 or 8 core . The latest code can be found at Drupal 's website . For those running 7.x , that means upgrading to Drupal 7.59 . For those running , 8.5.x , the latest version if 8.5.3 . And for those still on 8.4.x , there 's an upgrade to 8.4.8 , despite the fact that as an unsupported minor release , the 8.4.x line would not normally getVulnerability-related.PatchVulnerabilitysecurity updates . And finally , if you 're still on Drupal 6 , which is no longer officially supported , unofficial patches are being developedVulnerability-related.PatchVulnerabilityhere . Drupal users appear to be taking the release in stride , though with a bit of grumbling . `` Drupal Wednesday looks like the new Windows patch day , '' quipped designer Tom Binroth via Twitter . `` I would rather spend my time on creating new stuff than patchingVulnerability-related.PatchVulnerabilityDrupal core sites . ''
A serious vulnerability in a widely used , and widely forked , jQuery file upload plugin may have been exploitedVulnerability-related.DiscoverVulnerabilityfor years by hackers to seize control of websites – and is only now patchedVulnerability-related.PatchVulnerability. Larry Cashdollar , a bug-hunter at Akamai , explainedVulnerability-related.DiscoverVulnerabilitylate last week how the security shortcoming , designatedVulnerability-related.DiscoverVulnerabilityCVE-2018-9206 , allows a miscreant to upload and execute arbitrary code as root on a website that uses the vulnerable code with the Apache web server . This would potentially allow an attacker to , among other things , upload and run a webshell to execute commands on the target machine to stealAttack.Databreachdata , change files , distribute malware , and so on . Cashdollar – real name , he swears – was able to trackVulnerability-related.DiscoverVulnerabilitythe flaw down to Sebastian Tschan 's open-source jQuery File Upload tool , and got the developer to fixVulnerability-related.PatchVulnerabilityit in version 9.22.1 . The flaw stems from a change to the Apache web server , from version 2.3.9 and onwards , that disabled support for .htaccess security configuration files , which left projects like jQuery File Upload open to exploitation . Additionally , Cashdollar notedVulnerability-related.DiscoverVulnerability, it is almost certain he was not the first person to come acrossVulnerability-related.DiscoverVulnerabilitythis simple vulnerability . Demonstration videos on YouTube suggest similar flaws are knownVulnerability-related.DiscoverVulnerabilityto miscreants , and have been targeted in some circles for years . `` The internet relies on many security controls every day in order to keep our systems , data , and transactions safe and secure , '' Cashdollar said . `` If one of these controls suddenly does n't exist it may put security at risk unknowingly to the users and software developers relying on them . '' So , it 's believed hackers have been quietly exploiting the bug for several years as the flaw itself is fairly trivial and also eight years old . Now that details of the vulnerability are publicVulnerability-related.DiscoverVulnerability, exploit code has been produced , for example , here , and may be handy if you wish to test whether or not your website is vulnerableVulnerability-related.DiscoverVulnerabilityto CVE-2018-9206 . In any case , loads of people now know about it , so that means more miscreants menacing and hijacking vulnerable websites .