Skip to content
This repository has been archived by the owner on May 30, 2020. It is now read-only.

DevDungeon/CVE-2019-6340-Drupal-8.6.9-REST-Auth-Bypass

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.gitignore
.gitignore
 
 
README.rst
README.rst
 
 
create_node_via_rest.py
create_node_via_rest.py
 
 
does_not_correspond.py
does_not_correspond.py
 
 
exploit.py
exploit.py
 
 

Repository files navigation

CVE-2019-6340 / SA-CORE-2019-003

Three scripts included to demonstrate how Drupal 8.6.9 is vulnerable to CVE-2019-6340:

  • create_node_via_rest.py - Example of normal authenticated node create with REST API
  • does_not_correspond.py - Proving the request is processed even without authentication
  • exploit.py - Exploit the deserialization and execute a remote command

Download Drupal 8.6.9 from https://www.drupal.org/project/drupal/releases/8.6.9 Do a vanilla install and turn on the four "Web Services" modules.

I did not do all of the investigation on my own, I used a few resources when writing these scripts:

About

CVE-2019-6340 Drupal 8.6.9 REST Auth Bypass examples

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

2 watching

Forks

7 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages