The Drupal project today released another security update to Drupal 7 and 8 core, SA-CORE-20108-004. It is largely a refinement of the previous fix released for SA-CORE-2018-002 a few weeks ago, which introduced a Drupal-specific firewall to filter incoming requests. The new patch tightens the firewall further, preventing newly-discovered ways of getting around the filters, as well as correcting some deeper issues in Drupal itself.
We previously added the same logic to our own network-wide WAF to address SA-CORE-2018-002. With the latest release we’ve updated out WAF rules to match Drupal’s updates, and the new code is rolling out to all projects and regions as we speak.
You really need to update Drupal to 7.59 or 8.5.3 as soon as possible. We believe that some of the attack vectors fixed in the latest patch cannot be blocked by a WAF. See our earlier post for quick and easy instructions to update your Drupal 7 or 8 sites on Platform.sh in just a few minutes.
Still, most of the attack vectors fixed in the latest release are covered by the WAF. That should help keep your site safe from most attacks until you can update. But please, update early and often.
Stay safe out there on the Internet!