/CVE-2019-6340-Drupal-8.6.9-REST-Auth-Bypass

CVE-2019-6340 Drupal 8.6.9 REST Auth Bypass examples

Primary LanguagePython

CVE-2019-6340 / SA-CORE-2019-003

Three scripts included to demonstrate how Drupal 8.6.9 is vulnerable to CVE-2019-6340:

  • create_node_via_rest.py - Example of normal authenticated node create with REST API
  • does_not_correspond.py - Proving the request is processed even without authentication
  • exploit.py - Exploit the deserialization and execute a remote command

Download Drupal 8.6.9 from https://www.drupal.org/project/drupal/releases/8.6.9 Do a vanilla install and turn on the four "Web Services" modules.

I did not do all of the investigation on my own, I used a few resources when writing these scripts: