Drupal Core – Injection (Highly Critical)

Posted on Posted in Drupal

Decription: Drupal 8 uses the third-party PHP library Guzzle for making server-side HTTP requests. An attacker can provide a proxy server that Guzzle will use. The details of this are explained at https://httpoxy.org/.

Affected versions: Drupal core 8.x versions prior to 8.1.7

Recommended action: Install the latest version:

  • If you use Drupal 8.x, upgrade to Drupal core 8.1.7
  • If you use Drupal 7.x, Drupal core is not affected. However you should consider using the mitigation steps at https://httpoxy.org/ since you might have modules or other software on your server affected by this issue. For example, sites using Apache can add the following code to .htaccess:
    <IfModule mod_headers.c>
      RequestHeader unset Proxy

It is also suggested mitigating it as described here: https://httpoxy.org/

Also see the Drupal core project page.

Origin URLs:

Leave a Reply

Your email address will not be published. Required fields are marked *