[Alert] Drupal 8 Remote Code Execution Vulnerability

  • Source:SANGFOR Security Center
  • Date Published:2019-02-28


On February 20, 2019, the Drupal security team has announced a highly critical remote code execution vulnerability in Drupal 8, tracked as SA-CORE-2019-003 and CVE-2019-6340, in the latest security update bulletin. The official site sets this vulnerability as Highly Critical, with a 21/25 security risk score.  The vulnerability is actually caused by the lack of proper data  sanitization in some fields when users enable Drupal Core RESTful Web Services (rest) module.  In some cases, it allows arbitrary PHP code execution, remote and complete control over the server.

Sangfor security team makes response and releases alert as soon as possible, and continues to track its development.

Threat Level: High



Drupal is an open source content-management framework(CMF) written in PHP, consisting of content-management system(CMS) and PHP framework. Framework refers to powerful PHP class and function libraries, and an abstract Drupal API in Drupal core. As Drupal CMS has powerful features which can be configured flexibly, it can be used by a variety of websites, from personal Web blogs to community-driven websites.

Drupal employs cutting edge technology to ensure code security and robustness. Therefore, many foreign governments and institutions use Drupal CMS to build websites, such as the White House, the United States Department of Commerce, New York Times, Sony, etc.,as well as lots of Chinese universities.

Vulnerability Description

A remote code execution vulnerability exists in Drupal Core. This vulnerability targets Drupal 8 Rest module, which is disabled by default. But in most cases, this module will be enabled by users. The vulnerability is actually caused by the lack of proper data sanitization in some fields when users enable Drupal Core RESTful Web Services (rest) module. In some cases, it may result in arbitrary PHP code execution. In addition, we found that the remediation for this vulnerability is not enough. Users possibly do not allow POST and PATCH requests to web services resources according to the official fix solution for this vulnerability. But attackers can also achieve remote code execution without any permissions via GET requests. Therefore, users have to upgrade to the latest version or disable RESTful Web Services, otherwise your website may still be at risk.

Vulnerability Analysis

Through analyzing patches for Drupal 8.6.9 and 8.6.10, we found that, FieldItemNormalizer now uses a new trait SerializedColumnNormalizerTrait, in REST module.  The trait provides the checkForSerializedStrings() method, which raises an exception if a string is provided for a value that is stored as a serialized string. This indicates the exploitation vector fairly clearly: through a REST request, the attacker needs to send a serialized property. This property will later be unserialized, thing that can easily be exploited using tools such as PHPGGC.  


Another modified file gives indications as to which property can be used: LinkItem now uses unserialize ($ values [’options’],[’allowed_classes’=> FALSE]); instead of the standard unserialize ($ values [’options’]);.

图片2.png As for all FieldItemBase subclasses, LinkItem references a property type.  Shortcut uses this property type, for a property named link.

Having all these elements in mind, triggering an unserialize is fairly easy:

GET /drupal-8.6.9/node/1?_format=hal_json HTTP/1.1


Content-Type:  application/hal+json

Content-Length:  642



  "link": [


      "value": "link",

      "options": ""



  "_links": {

    "type": {

      "href": "http://siteserver/drupal-8.6.9/rest/type/shortcut/default"




Therefore, we can put unserialized payload in the options parameter to trigger the vulnerability.

Vulnerability Reproduction

We set up and enabled RESTful Web Services module in the background, attacked Drupal-based website with constructed payload, and then executed the command.


Globally, there are over 1489923 Drupal-based websites available to users, among which over 40,000 are in China.

Affected Versions:

Drupal 8.6.x versions earlier than 8.6.10

Drupal 8.5.x versions earlier than 8.5.11





Sangfor Solution

Sangfor Security Cloud has updated in the first place and gained the ability to probe websites for this vulnerability and ensure user security.

For Sangfor NGAF customers, simply keep NGAF up to date and turn on the corresponding security protection feature.

Remediation Solution

Security patches for Drupal 8.6.10 and 8.5.11 have been released in Drual official site. Please update to Drupal 8.6.10 or 8.5.11.

Download Drupal 8.6.10 updates from: https://www.drupal.org/project/drupal/releases/8.6.10 

Download Drupal 8.5.11 updates from: https://www.drupal.org/project/drupal/releases/8.5.11 

If RESTful Web Services are not necessary, disable the RESTful Web Services module. If you only disable POST or PATCH requests, the website is still in danger.