Stopping Drupal’s SA-CORE-2019-003 Vulnerability

On February 20th, 2019, Drupal announced the discovery of a severe vulnerability in their system and released a patch for it the next day. The company quickly analyzed the patch to identify potential payloads that could be used against it and created rules to mitigate these threats. Within an hour of the Drupal announcement, they had deployed several experimental rules to catch exploit attempts. By February 22nd, they had already blocked a number of attackers using their WAF rule D0020. The first malicious payload uploaded a backdoor file onto the target system, allowing continued access even after patching. Another minimalistic payload created a PHP file on the server that could execute arbitrary commands directly on the potentially vulnerable system. This vulnerability was weaponized within two days of disclosure, highlighting the importance of timely patches and effective security measures like Cloudflare's WAF to protect against emerging threats.