The extraordinary ‘Panama Papers leak’ from Law firm Mossack Fonseca that exposed the tax-avoiding efforts by the world’s richest and most influential members was initially believed to be the result of an unpatched vulnerability in the popular content management systems: Drupal and WordPress.
Now, we are quite sure that the Panama Papers, which implicated 72 current and former heads of state, was due to vulnerabilities in Drupal and WordPress that allowed hackers to get into the law firm’s system and stole over 11.5 Million files (around 2.6 Terabytes of data).
The Drupal Security Team has announced that critical patches to address several security issues in Drupal contributed modules, including several highly critical Remote Code Execution (RCE) vulnerabilities, will be released today at 16:00 UTC.
According to an advisory, the critical arbitrary remote PHP code execution vulnerability (PSA-2016-001) affects up to 10000 Drupal websites. However, “Drupal core is not affected. Not all sites will be affected.”
Although technical details about the critical flaws have not released yet due to security reasons, the team has warned its users to apply upcoming patches without giving opportunities to hackers who are desperately waiting for the bug details to develop exploits within hours or days.
If you own a Drupal website, you are advised carefully to review the list of affected contributed modules and apply the security patches as soon as possible.