More details on Drupal maintenance support plans SA-CORE-2020-002

More details on Drupal maintenance support plans SA-CORE-2020-002
Wed, 03/28/2020 – 20:00

Blog customers should visit Safe from Drupal maintenance support plansGeddon II aka SA-CORE-2020-02 for the specific steps we took to protect all our Drupal maintenance support plans instances.
Earlier today, a critical remote code execution vulnerability in Drupal maintenance support plans 6, 7, and 8 was disclosed. This highly-critical issue affects all Drupal maintenance support plans 7.x and 8.x sites and most Drupal maintenance support plans 6.x sites. It is trivially exploitable remotely by anonymous users on any site that exposes forms. It is very possible that your site exposes this vulnerability even if you are not aware of publicly accessible forms. You should update immediately any Drupal maintenance support plans site you have to versions 8.5.1, 8.4.6, or 7.58, as appropriate.
How to know if I am affected?
We are currently not aware of exploits of this vulnerability in the wild but this will undoubtedly change in the next few hours. Writing an exploit for this is trivial and you should expect automated internet-wide attacks before the day is out.
You should take immediate steps to protect yourself. This is as bad or worse than the previous highly-critical vulnerability SA-CORE-2020-05 that wreaked havoc three and a half years ago affecting more than 12 Million websites.
(Like, seriously, if you are reading this and you are not on or another provider that has put a platform-level mitigation in place, go update your sites and then come back and finish reading. Please. customers, see below for how to quickly update your site.)
Where does the vulnerability come from?
The issue is in Drupal maintenance support plans‘s handling of HTTP request parameters that contain certain special characters. These characters have special meaning in various places in Drupal maintenance support plans, which if misinterpreted could lead to unexpected code paths being executed. The solution in the latest patch is to filter out such values before passing them off to application code.
Fortunately that same strategy can be implemented at the network layer. We have therefore applied the same logic to our Web Application Firewall to reject requests containing such values and deployed it across all projects in all regions, both Professional and Enterprise. That should protect all Drupal maintenance support plans and Backdrop installations running anywhere on until they are upgraded.
What to do?
You must update any and all Drupal maintenance support plans instances with 6.x, 7.x and 8.x or Backdrop CMS, or verify that your hosting provider has put in place an automated mitigation strategy for this vulnerability. (All clients are safe; our new WAF now detects and blocks all variants of this attack). Even if your hosting provider has a mitigation strategy in place you should update immediately anyway.
Drupal maintenance support plans 6.x is no longer maintained and unlike Drupal maintenance support plans 7.x and 8.x it does not support automated updates. Drupal Update-party support providers may provide a patch but you should make plans to upgrade from Drupal maintenance support plans 6 to Drupal maintenance support plans 8 as soon as possible.
Hopefully you are using Composer for your Drupal maintenance support plans 7.x and 8.x or Drush make for Drupal maintenance support plans 7.x, as is the default with installations.
To upgrade Drupal maintenance support plans via Composer
To update your Drupal maintenance support plans instances, and test nothing breaks you can follow the following simple procedure:
Verify that your composer.json file does not lock down drupal core to a minor version it should be something like “drupal/core”: “~8.0”. Then run:
git checkout -b security_update
composer update

Make sure that Drupal maintenance support plans Core was updated to 8.5.1 or higher. (Check composer.lock using git diff). Commit and push your changes:
git commit –am ’fix for SA-CORE-2020-02’ && git push
On you can test that everything is fine on your automatically-generated staging environment, then merge to master putting this to production.
If you do not use you should test this either locally or your testing server; and follow your normal procedure to update your live sites.
To upgrade Drupal maintenance support plans using Drush Make
If you are using “Drush Make” style of dependency management, again, make sure you are not locked down to a vulnerable version such as:
projects[drupal][version] = 7.57
if it is, bump it up to 7.58. Then make a branch and update it:
git checkout -b security_update
drush pm-update

Commit the changes and push the result to for testing. Once you’re satisfied nothing is broken merge back to master and deploy.
To upgrade Drupal maintenance support plans if you’re checking Drupal maintenance support plans core into your repository
If you’re running a “vanilla” Drupal maintenance support plans setup, with all of Drupal maintenance support plans checked into Git, the easiest way to upgrade is using drush.
In your local environment, go to your Drupal maintenance support plans document root and run:
git checkout -b security_update
drush pm-update drupal

Commit the changes and push the result to for testing. Once you’re satisfied nothing is broken merge back to master and deploy.
Afterward, look into how to migrate your site to a dependency managed configuration, preferably Composer. It will make maintenance far easier and more robust in the future.
As a reminder, your instances are not vulnerable as they are protected by our WAF. You should still apply the fixes ASAP.

Damien Tournoud

28 Mar, 2020

Source: New feed

This article was republished from its original source.
Call Us: 1(800)730-2416

Pixeldust is a 20-year-old web development agency specializing in Drupal and WordPress and working with clients all over the country. With our best in class capabilities, we work with small businesses and fortune 500 companies alike. Give us a call at 1(800)730-2416 and let’s talk about your project.

FREE Drupal SEO Audit

Test your site below to see which issues need to be fixed. We will fix them and optimize your Drupal site 100% for Google and Bing. (Allow 30-60 seconds to gather data.)

Powered by More details on Drupal maintenance support plans SA-CORE-2020-002

On-Site Drupal SEO Master Setup

We make sure your site is 100% optimized (and stays that way) for the best SEO results.

With Pixeldust On-site (or On-page) SEO we make changes to your site’s structure and performance to make it easier for search engines to see and understand your site’s content. Search engines use algorithms to rank sites by degrees of relevance. Our on-site optimization ensures your site is configured to provide information in a way that meets Google and Bing standards for optimal indexing.

This service includes:

  • Pathauto install and configuration for SEO-friendly URLs.
  • Meta Tags install and configuration with dynamic tokens for meta titles and descriptions for all content types.
  • Install and fix all issues on the SEO checklist module.
  • Install and configure XML sitemap module and submit sitemaps.
  • Install and configure Google Analytics Module.
  • Install and configure Yoast.
  • Install and configure the Advanced Aggregation module to improve performance by minifying and merging CSS and JS.
  • Install and configure Metatag.
  • Configure robots.txt.
  • Google Search Console setup snd configuration.
  • Find & Fix H1 tags.
  • Find and fix duplicate/missing meta descriptions.
  • Find and fix duplicate title tags.
  • Improve title, meta tags, and site descriptions.
  • Optimize images for better search engine optimization. Automate where possible.
  • Find and fix the missing alt and title tag for all images. Automate where possible.
  • The project takes 1 week to complete.