Please find attached in this PR the false a bug fix which fixes the false positive returned by lib/checks/drupal_cve_2018_7600.rb.
Originally if the script detected a Drupal instance potentially running version 8, it would perform two checks. If the first check failed, the second check would be fired off. The issue with the second check is that it involves blind exploitation and as such a generic error is returned in the response. Drupal 9 returns this same error in the response thus leading Drupal 9 instances to be identified as vulnerable As such the second check was removed.
Hi team,
Please find attached in this PR the false a bug fix which fixes the false positive returned by
lib/checks/drupal_cve_2018_7600.rb.Originally if the script detected a Drupal instance potentially running version 8, it would perform two checks. If the first check failed, the second check would be fired off. The issue with the second check is that it involves blind exploitation and as such a generic error is returned in the response. Drupal 9 returns this same error in the response thus leading Drupal 9 instances to be identified as vulnerable As such the second check was removed.
Best regards, Maxim