by David Snopek on February 17, 2016 - 6:35am

If you don't follow security news, you might not be aware of the libc vulnerability published yesterday. The vulnerability was introduced in 2008 - so, it's likely this affects all Linux servers (and desktops, if you run Linux on the desktop) that you're responsible for.

It's a remote code execution vulnerability, meaning attackers can run arbitrary code on your server. It's in the function used to lookup domain names, so it can be exploited by any code that requests a URL, by giving it a special domain name!

While this isn't a Drupal vulnerability, it could definitely be exploited from Drupal, if you provide a way for users to ask the server to request a URL.

The first example that comes to mind, is if you're using the Feeds module, and allow authenticated users to create a new feed (either in the admin UI, or by creating a special piece of content). All they need to do is enter a URL with a special domain name, and when Feeds tries to download it, they'd be able to execute code on your server!

But there's probably countless other examples...

So, if you didn't update yesterday, then be sure to update today!

Want to read more articles like this? blog Subscribe to the blog and recieve e-mail updates when new articles are published!

Add comment