Remote code executionCVE-2018-76002018 5 min read

What was Drupalgeddon2?

Drupal did not fully clean certain request data before processing it. That let anyone, with no account, run code on the site. Mass exploitation started within days and ran for years.

0
authentication needed
1M+
Drupal sites potentially exposed
Days
from patch to mass exploitation
Years
of compromised sites in the long tail

What happened

In 2018 the Drupal team patched a flaw in how core handled certain request data. The data could carry instructions that Drupal would act on, which meant an unauthenticated visitor could run code on the server.

The advisory was blunt about the severity. Within days a public exploit appeared, and attackers started taking over sites at scale.

How form input ran code

Drupal builds pages from nested structures, and some request data was allowed to feed into those structures without being cleaned first. Crafted input reached a place where it was treated as instructions rather than text.

No login, no special access. Just a request shaped the right way to a normal endpoint.

Why unauthenticated RCE is the worst kind

Most serious bugs need some foothold first. Unauthenticated remote code execution needs nothing. Anyone who can reach the site can take it over, which makes it perfect for automated, internet-wide attacks.

Sites that did not patch within the first days were often compromised before their owners even saw the advisory.

How it unfolded

  1. Mar 28, 2018
    Drupal ships the patch with a high-severity advisory.
  2. Apr 2018
    A public exploit lands and mass exploitation begins within days.
  3. 2018 onward
    Compromised, unpatched Drupal sites keep surfacing for a long time.
Where buggy.run fits

Unauthenticated remote code execution on a public endpoint is the exact thing an attacker scans for, and the exact thing worth checking before they do.

buggy.run walks your public surface and probes it the way an attacker would, so an endpoint that does something it should never do is surfaced rather than waiting to be found in the wild.

What to take away

  • Patch CMS core the day a critical advisory lands. The window is measured in days.
  • Sanitize all request input, including the parts frameworks parse for you.
  • Keep your public attack surface as small as possible.
  • Watch for web shells and unexpected files after any critical CMS flaw.

Find your unnoticed bug before someone else does.

buggy.run signs in, captures your real traffic, and hunts the quiet flaws that scanners miss. You get every finding in plain English with the fix.