Drupal RESTful Web Services unserialize() Remote Code Execution

Posted by deepcore on March 7, 2019 – 7:00 pm

This Metasploit module exploits a PHP unserialize() vulnerability in Drupal RESTful Web Services by sending a crafted request to the /node REST endpoint. As per SA-CORE-2019-003, the initial remediation was to disable POST, PATCH, and PUT, but Ambionics discovered that GET was also vulnerable (albeit cached). Cached nodes can be exploited only once.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« Imperva SecureSphere 13.x PWS Command Injection Linux Virtual Address 0 Mappable Via Privilege write() »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

Drupal RESTful Web Services unserialize() Remote Code Execution

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL