The popular content management system Drupal has released an advisory that addresses a critical vulnerability. Drupal has stated that the exploitation of this vulnerability could allow a remote attacker to take control of an affected system. It is therefore advised that users and administrators do the necessary updates to Drupal and take the other mitigation steps detailed in this advisory.
While Drupal core 8.x versions prior to 8.1.7 are vulnerable, it is stated that Drupal core 7.x is not affected. However, Drupal recommends using the mitigation steps detailed below.
Description of the Vulnerability
Drupal 8 uses a third-party PHP library named Guzzle to make server-side HTTP requests. An attacker can provide a proxy server that Guzzle will use. The set of vulnerabilities to which this belongs is known as “httpoxy”. This set of vulnerabilities, first identified as far back as 2001, affects application code running in CGI or CGI-like environments, and comes down to a namespace conflict involving the environment variable name HTTP_PROXY. This in turn leads to a remotely exploitable vulnerability. A more detailed description of httpoxy can be read at http://httpoxy.org.
Recommended Course of Action
Drupal recommends that the first course of action for users of Drupal core 8.x versions is to upgrade to version 8.1.7 or above. Even if you use 7.x versions of Drupal, you might be vulnerable if another application has the vulnerability. Therefore, blocking Proxy request headers is also recommended. According to httpoxy.org, “How you block a Proxy header depends on the specifics of your setup. The earliest convenient place to block the header might be at a web application firewall device, or directly on the webserver running Apache or NGINX”. The page also recommends mitigation as early and as far upstream as possible. Drupal recommends this mitigation even if you have upgraded to version 8.1.7 or above.
Drupal’s security advisory on this vulnerability is located on page https://www.drupal.org/SA-CORE-2016-003. httpoxy has been described in detail at http://httpoxy.org. This page details how to mitigate this set of vulnerabilities across a range of implementations. This is a must-read page for users and administrators implementing Drupal.
The CERT vulnerability note for this is located on page https://www.kb.cert.org/vuls/id/797896, and gives a detailed description of the vulnerability and solutions for different implementations.