In June of 2011, the Drupal Security Team issued Public Service Advisory PSA-2011-002 – External libraries and plugins.
8 years later that is still the policy of the Drupal Security team. As Drupal core and modules leverage 3rd party code more and more it seems like an important time to remind site owners that they are responsible for monitoring security of 3rd party libraries. Here is the advice from 2011 which is even more relevant today:
Just like there’s a need to diligently follow announcements and update contributed modules downloaded from Drupal.org, there’s also a need to follow announcements by vendors of third-party libraries or plugins that are required by such modules.
Drupal’s update module has no functionality to alert you to these announcements. The Drupal security team will not release announcements about security issues in external libraries and plugins.
Current PHPUnit/Mailchimp library exploit
Recently we have become aware of a vulnerability that is being actively exploited on some Drupal sites. The vulnerability is in PHPUnit and has a CVE# CVE-2017-9841. The exploit targets Drupal sites that currently or previously used the Mailchimp or Mailchimp commerce module and still have a vulnerable version of the file
sites/all/libraries/mailchimp/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php. See below for details on whether a file is vulnerable or not. The vulnerable file might be at other paths on your individual site, but an automated attack exists that is looking for that specific path. This attack can execute PHP on the server.
Follow release announcements by the vendors of the external libraries and plugins you use.
In this specific case, check for the existence of a file named
eval-stdin.php and check its contents. If they match the new version in this commit then it is safe. If the file reads from
php://input then the codebase is vulnerable. This is not an indication of a site being compromised, just of it being vulnerable. To fix this vulnerability, update your libraries. In particular you should ensure the Mailchimp and Mailchimp Ecommerce modules and their libraries are updated.
If you discover your site has been compromised, we have a guide of how to remediate a compromised site.
Also see the Drupal core project page.
- Greg Knaddison of the Drupal Security Team