SlideShare a Scribd company logo
1 of 11
Download to read offline
Drupalgeddon 2
Agenda
● Drupal Basics
● Anatomy of Attack
● Vulnerable Form APIs
● Elements used in exploit
● Demo
● Key component of vulnerability
● Remediation
Drupal Basics
● Drupal is the platform for web content management among global enterprises,
governments, higher education institutions, and NGOs. Flexible and highly scalable, Drupal
publishes a single web site or shares content in multiple languages across many devices.
● Drupal’s Form API was introduced in Drupal 6 and allowed for alteration of the form data
during the form rendering process. This revolutionized the way markup processing was
done.
Anatomy of Attack
● Affected versions - < 7.58 / 8.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1
● This vulnerability allowes an unauthenticated attacker to perform remote code execution on default or common
Drupal installations which allows accessing all non-public data as well as being able to modify or delete it.
● The vulnerability relates to a conflict between how PHP handles arrays in parameters and Drupal's use of the
hash (#) in at the beginning of array keys to signify special keys that typically result in further computation,
leading to the ability to inject code arbitrarily.
● Drupalgeddon2 target AJAX requests composed of Drupal Form API’s renderable arrays, which are used to
render a requested page through Drupal’s theming system.
● Renderable arrays contain metadata that is used in the rendering process. These renderable
arrays are a key-value structure in which the property keys start with a hash sign (#).
Please see below for an example:
Vulnerable Form APIs
● [#post_render]
○ Receives the result of the rendering process and adds wrappers around it.
● [#pre_render]
○ Manipulates the render array before rendering.
● [#access_callback]
○ Determine whether or not the current user has access to an element.
● [#lazy_builder]
○ Used to add elements in the very end of the rendering process.
The elements used in exploit
● [#post_render] : An array of functions which may operate on the rendered HTML after rendering. It receives
both the rendered HTML and the render array from which it was rendered and can use those to change the
rendered HTML.
● passthru : This PHP function is similar to the exec() function.
● #<Name> : These properties are used by the Forms API to generate forms, dynamically modifies forms, etc.
● #type : Defines element type. If this array is an element, this will cause the default element properties to be
loaded.
● [#markup] : One of the renderable arrays which is used to return the string as #markup in order for it to be
rendered along with some extra information, to change the text and/or tags down the line in the theming
process in runtime.
Demo
Key components of vulnerability
● Target unauthenticated page to make it much effective.
● Dynamically generated things based on user input are always suspect to data sanitization
issues.
● Presence of CHANGELOG.txt
Remediation
● New PHP processes created by the webserver user, particularly php -r <encoded command>
● New PHP files written to the web root
● Entries in web server access logs for requests to a registration form
● Single requests to CHANGELOG.txt
● For sites using Drupal 7.x, Drupal 7.59 has been released.
● For sites using Drupal 8.5.x, Drupal 8.5.3 has been released.
● For sites using Drupal 8.4.x, Drupal 8.4.8 has been released.
Reference
● https://unit42.paloaltonetworks.com/unit42-exploit-wild-drupalgeddon2-analysis-cve-2018-7600/
● https://www.techrepublic.com/article/drupalgeddon-2-wreaking-havoc-on-900-sites-because-it-still-hasnt-applied-
updates/
● https://thehackernews.com/2018/04/drupal-rce-exploit-code.html
● https://blog.rapid7.com/2018/04/27/drupalgeddon-vulnerability-what-is-it-are-you-impacted/
● https://engineering.carsguide.com.au/uncovering-drupalgeddon-2-on-drupal-7-33a06f413ed5

More Related Content

Similar to Drupalgeddon 2 Null_meet

How is Drupal Ensuring the Web Accessibility Standards?
How is Drupal Ensuring the Web Accessibility Standards?How is Drupal Ensuring the Web Accessibility Standards?
How is Drupal Ensuring the Web Accessibility Standards?OpenSense Labs
 
Developing MDA Applications with the PhpManteiga Framework
Developing MDA Applications with the PhpManteiga FrameworkDeveloping MDA Applications with the PhpManteiga Framework
Developing MDA Applications with the PhpManteiga FrameworkLuiz Guilherme Cruz
 
Ugif 10 2012 lycia2 introduction in 45 minutes
Ugif 10 2012 lycia2 introduction in 45 minutesUgif 10 2012 lycia2 introduction in 45 minutes
Ugif 10 2012 lycia2 introduction in 45 minutesUGIF
 
Drupal 6 to Drupal 8 Migration
Drupal 6 to Drupal 8 MigrationDrupal 6 to Drupal 8 Migration
Drupal 6 to Drupal 8 MigrationAmeex Technologies
 
West Yorkshire Mulesoft Meetup #6
West Yorkshire Mulesoft Meetup #6West Yorkshire Mulesoft Meetup #6
West Yorkshire Mulesoft Meetup #6Francis Edwards
 
Drupal 8 - Core and API Changes
Drupal 8 - Core and API ChangesDrupal 8 - Core and API Changes
Drupal 8 - Core and API ChangesShabir Ahmad
 
13th Sep, Drupal 7 advanced training by TCS
13th Sep, Drupal 7 advanced training by TCS 13th Sep, Drupal 7 advanced training by TCS
13th Sep, Drupal 7 advanced training by TCS DrupalMumbai
 
Mule soft meetup__official__feb-27_2021
Mule soft meetup__official__feb-27_2021Mule soft meetup__official__feb-27_2021
Mule soft meetup__official__feb-27_2021sumitahuja94
 
How to Migrate Drupal 6 to Drupal 8?
How to Migrate Drupal 6 to Drupal 8?How to Migrate Drupal 6 to Drupal 8?
How to Migrate Drupal 6 to Drupal 8?DrupalGeeks
 
Company Visitor Management System Report.docx
Company Visitor Management System Report.docxCompany Visitor Management System Report.docx
Company Visitor Management System Report.docxfantabulous2024
 
Drupal 8 and Pantheon
Drupal 8 and PantheonDrupal 8 and Pantheon
Drupal 8 and PantheonPantheon
 
Dive into Play Framework
Dive into Play FrameworkDive into Play Framework
Dive into Play FrameworkMaher Gamal
 
From Drupal 7 to Drupal 8 - Drupal Intensive Course Overview
From Drupal 7 to Drupal 8 - Drupal Intensive Course OverviewFrom Drupal 7 to Drupal 8 - Drupal Intensive Course Overview
From Drupal 7 to Drupal 8 - Drupal Intensive Course OverviewItalo Mairo
 
Data Mining with SpagoBI suite
Data Mining with SpagoBI suiteData Mining with SpagoBI suite
Data Mining with SpagoBI suiteSpagoWorld
 
Strategies and Tips for Building Enterprise Drupal Applications - PNWDS 2013
Strategies and Tips for Building Enterprise Drupal Applications - PNWDS 2013Strategies and Tips for Building Enterprise Drupal Applications - PNWDS 2013
Strategies and Tips for Building Enterprise Drupal Applications - PNWDS 2013Mack Hardy
 

Similar to Drupalgeddon 2 Null_meet (20)

How is Drupal Ensuring the Web Accessibility Standards?
How is Drupal Ensuring the Web Accessibility Standards?How is Drupal Ensuring the Web Accessibility Standards?
How is Drupal Ensuring the Web Accessibility Standards?
 
Developing MDA Applications with the PhpManteiga Framework
Developing MDA Applications with the PhpManteiga FrameworkDeveloping MDA Applications with the PhpManteiga Framework
Developing MDA Applications with the PhpManteiga Framework
 
Ugif 10 2012 lycia2 introduction in 45 minutes
Ugif 10 2012 lycia2 introduction in 45 minutesUgif 10 2012 lycia2 introduction in 45 minutes
Ugif 10 2012 lycia2 introduction in 45 minutes
 
Drupal 6 to Drupal 8 Migration
Drupal 6 to Drupal 8 MigrationDrupal 6 to Drupal 8 Migration
Drupal 6 to Drupal 8 Migration
 
West Yorkshire Mulesoft Meetup #6
West Yorkshire Mulesoft Meetup #6West Yorkshire Mulesoft Meetup #6
West Yorkshire Mulesoft Meetup #6
 
Drupal 8 - Core and API Changes
Drupal 8 - Core and API ChangesDrupal 8 - Core and API Changes
Drupal 8 - Core and API Changes
 
Software Development with PHP & Laravel
Software Development  with PHP & LaravelSoftware Development  with PHP & Laravel
Software Development with PHP & Laravel
 
13th Sep, Drupal 7 advanced training by TCS
13th Sep, Drupal 7 advanced training by TCS 13th Sep, Drupal 7 advanced training by TCS
13th Sep, Drupal 7 advanced training by TCS
 
Mule soft meetup__official__feb-27_2021
Mule soft meetup__official__feb-27_2021Mule soft meetup__official__feb-27_2021
Mule soft meetup__official__feb-27_2021
 
Report.docx
Report.docxReport.docx
Report.docx
 
C#Portfolio
C#PortfolioC#Portfolio
C#Portfolio
 
SANTOSH KUMAR M -FD
SANTOSH KUMAR M -FDSANTOSH KUMAR M -FD
SANTOSH KUMAR M -FD
 
How to Migrate Drupal 6 to Drupal 8?
How to Migrate Drupal 6 to Drupal 8?How to Migrate Drupal 6 to Drupal 8?
How to Migrate Drupal 6 to Drupal 8?
 
Company Visitor Management System Report.docx
Company Visitor Management System Report.docxCompany Visitor Management System Report.docx
Company Visitor Management System Report.docx
 
Drupal 8 and Pantheon
Drupal 8 and PantheonDrupal 8 and Pantheon
Drupal 8 and Pantheon
 
Dive into Play Framework
Dive into Play FrameworkDive into Play Framework
Dive into Play Framework
 
From Drupal 7 to Drupal 8 - Drupal Intensive Course Overview
From Drupal 7 to Drupal 8 - Drupal Intensive Course OverviewFrom Drupal 7 to Drupal 8 - Drupal Intensive Course Overview
From Drupal 7 to Drupal 8 - Drupal Intensive Course Overview
 
Data Mining with SpagoBI suite
Data Mining with SpagoBI suiteData Mining with SpagoBI suite
Data Mining with SpagoBI suite
 
Php models
Php modelsPhp models
Php models
 
Strategies and Tips for Building Enterprise Drupal Applications - PNWDS 2013
Strategies and Tips for Building Enterprise Drupal Applications - PNWDS 2013Strategies and Tips for Building Enterprise Drupal Applications - PNWDS 2013
Strategies and Tips for Building Enterprise Drupal Applications - PNWDS 2013
 

Recently uploaded

Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 

Recently uploaded (20)

Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 

Drupalgeddon 2 Null_meet

  • 2. Agenda ● Drupal Basics ● Anatomy of Attack ● Vulnerable Form APIs ● Elements used in exploit ● Demo ● Key component of vulnerability ● Remediation
  • 3. Drupal Basics ● Drupal is the platform for web content management among global enterprises, governments, higher education institutions, and NGOs. Flexible and highly scalable, Drupal publishes a single web site or shares content in multiple languages across many devices. ● Drupal’s Form API was introduced in Drupal 6 and allowed for alteration of the form data during the form rendering process. This revolutionized the way markup processing was done.
  • 4. Anatomy of Attack ● Affected versions - < 7.58 / 8.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1 ● This vulnerability allowes an unauthenticated attacker to perform remote code execution on default or common Drupal installations which allows accessing all non-public data as well as being able to modify or delete it. ● The vulnerability relates to a conflict between how PHP handles arrays in parameters and Drupal's use of the hash (#) in at the beginning of array keys to signify special keys that typically result in further computation, leading to the ability to inject code arbitrarily. ● Drupalgeddon2 target AJAX requests composed of Drupal Form API’s renderable arrays, which are used to render a requested page through Drupal’s theming system.
  • 5. ● Renderable arrays contain metadata that is used in the rendering process. These renderable arrays are a key-value structure in which the property keys start with a hash sign (#). Please see below for an example:
  • 6. Vulnerable Form APIs ● [#post_render] ○ Receives the result of the rendering process and adds wrappers around it. ● [#pre_render] ○ Manipulates the render array before rendering. ● [#access_callback] ○ Determine whether or not the current user has access to an element. ● [#lazy_builder] ○ Used to add elements in the very end of the rendering process.
  • 7. The elements used in exploit ● [#post_render] : An array of functions which may operate on the rendered HTML after rendering. It receives both the rendered HTML and the render array from which it was rendered and can use those to change the rendered HTML. ● passthru : This PHP function is similar to the exec() function. ● #<Name> : These properties are used by the Forms API to generate forms, dynamically modifies forms, etc. ● #type : Defines element type. If this array is an element, this will cause the default element properties to be loaded. ● [#markup] : One of the renderable arrays which is used to return the string as #markup in order for it to be rendered along with some extra information, to change the text and/or tags down the line in the theming process in runtime.
  • 9. Key components of vulnerability ● Target unauthenticated page to make it much effective. ● Dynamically generated things based on user input are always suspect to data sanitization issues. ● Presence of CHANGELOG.txt
  • 10. Remediation ● New PHP processes created by the webserver user, particularly php -r <encoded command> ● New PHP files written to the web root ● Entries in web server access logs for requests to a registration form ● Single requests to CHANGELOG.txt ● For sites using Drupal 7.x, Drupal 7.59 has been released. ● For sites using Drupal 8.5.x, Drupal 8.5.3 has been released. ● For sites using Drupal 8.4.x, Drupal 8.4.8 has been released.
  • 11. Reference ● https://unit42.paloaltonetworks.com/unit42-exploit-wild-drupalgeddon2-analysis-cve-2018-7600/ ● https://www.techrepublic.com/article/drupalgeddon-2-wreaking-havoc-on-900-sites-because-it-still-hasnt-applied- updates/ ● https://thehackernews.com/2018/04/drupal-rce-exploit-code.html ● https://blog.rapid7.com/2018/04/27/drupalgeddon-vulnerability-what-is-it-are-you-impacted/ ● https://engineering.carsguide.com.au/uncovering-drupalgeddon-2-on-drupal-7-33a06f413ed5

Editor's Notes

  1. The Form API is known as “Renderable Arrays”. This extended API is used to represent the structure of most of the UI elements in Drupal, such as pages, blocks, nodes and more. Rendering in the Drupal world means turning structured "render" arrays into HTML. A render array is a classic Drupal structured array that provides data as to how it should be rendered.
  2. Vulnerability Reported by Jasper Mattsson. Theming system defines the visual look and feel of your site.
  3. Passthru function executes a command and displays the raw output. When you need to return the string as #markup in order for it to be rendered along with the table, row, headers etc. You can use simple string to show any error but for extra information you need to use #markup.
  4. isset - check whether the variable is set and not NULL. $_REQUEST - It is global variable which is used to collect data after submitting html form like $_GET, $_POST etc. form_build_id - In order to manage multi-step form, Drupal has a mechanism to temporary save the submitted values in the database. During the next steps of the form submission, those cached values will be retrieved and processed.
  5. Drupal 8, we have to run PHP as a subprocess, which is easier to notice in process listings.