CVE-2015-8761
📋 TL;DR
This vulnerability in Drupal's Values module allows remote administrators with 'Import value sets' permission to execute arbitrary PHP code via the exported values list in a ctools import. It affects Drupal 7.x sites using Values module versions 7.x-1.x before 7.x-1.2. This is a critical remote code execution vulnerability.
💻 Affected Systems
- Drupal Values module
📦 What is this software?
Values by Values Project
Values by Values Project
Values by Values Project
Values by Values Project
Values by Values Project
Values by Values Project
Values by Values Project
Values by Values Project
Values by Values Project
Values by Values Project
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data theft, malware deployment, or complete site takeover.
Likely Case
Unauthorized PHP code execution leading to data manipulation, backdoor installation, or privilege escalation.
If Mitigated
Limited impact if proper permission controls and network segmentation are in place.
🎯 Exploit Status
Exploitation requires administrator access with specific permission. Public exploit code exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.x-1.2
Vendor Advisory: https://www.drupal.org/node/2622534
Restart Required: No
Instructions:
1. Update Values module to version 7.x-1.2 or later. 2. Apply patch from Drupal security advisory. 3. Clear Drupal caches.
🔧 Temporary Workarounds
Remove Import Permission
allTemporarily revoke 'Import value sets' permission from all users until patch is applied.
Disable Values Module
linuxDisable the Values module if not essential for site functionality.
drush dis values
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Drupal servers
- Enable detailed logging and monitoring for suspicious PHP execution attempts
🔍 How to Verify
Check if Vulnerable:
Check Values module version in Drupal admin interface or via 'drush pm-list' command.Check Version:
drush pm-list | grep valuesVerify Fix Applied:
Confirm Values module version is 7.x-1.2 or later and verify patch application.📡 Detection & Monitoring
Log Indicators:
- Unusual PHP execution in Drupal logs
- Suspicious ctools import activities
- Unauthorized file modifications
Network Indicators:
- Unexpected outbound connections from Drupal server
- Suspicious POST requests to ctools import endpoints
SIEM Query:
source="drupal.log" AND ("ctools" AND "import") AND ("php" OR "exec" OR "system")🔗 References
- http://cgit.drupalcode.org/values/commit/?id=5942ee9
- http://www.securityfocus.com/bid/79656
- https://www.drupal.org/node/2622534
- https://www.drupal.org/node/2636344
- http://cgit.drupalcode.org/values/commit/?id=5942ee9
- http://www.securityfocus.com/bid/79656
- https://www.drupal.org/node/2622534
- https://www.drupal.org/node/2636344
