/plushcap/analysis/cloudflare/stopping-drupal-sa-core-2019-003

Stopping Drupal’s SA-CORE-2019-003 Vulnerability

What's this blog post about?

On February 20th, 2019, Drupal announced the discovery of a severe vulnerability in their system and released a patch for it the next day. The company quickly analyzed the patch to identify potential payloads that could be used against it and created rules to mitigate these threats. Within an hour of the Drupal announcement, they had deployed several experimental rules to catch exploit attempts. By February 22nd, they had already blocked a number of attackers using their WAF rule D0020. The first malicious payload uploaded a backdoor file onto the target system, allowing continued access even after patching. Another minimalistic payload created a PHP file on the server that could execute arbitrary commands directly on the potentially vulnerable system. This vulnerability was weaponized within two days of disclosure, highlighting the importance of timely patches and effective security measures like Cloudflare's WAF to protect against emerging threats.

Company
Cloudflare

Date published
March 5, 2019

Author(s)
Richard Sommerville

Word count
823

Language
English

Hacker News points
None found.


By Matt Makai. 2021-2024.