Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2018-April-25
Vulnerability:
PHP object injection
Affected versions:
<3.7.0
Description:
This module enables you to monitor and manage any number of remote Drupal sites and aggregate useful information for administrators in a central dashboard.
The modules (DRD and DRD Agent) encrypt the data which is exchanged between them but in order to do so, they use the PHP serialize/unserialize functions instead of the json_encode/json_decode combination. As the unserialize function is called on unauthenticated content, this introduces a PHP object injection vulnerability.
Solution:
Install the latest version:
Reported By:
- David Snopek of the Drupal Security Team
Fixed By:
- David Snopek of the Drupal Security Team
- Jürgen Haas
Coordinated By:
- David Snopek of the Drupal Security Team
