Skip to main content

Drupal CMS admins cautioned about update problems

The open source Drupal content management platform is among the top free CMS in the world, with an estimated 15 million downloads according to one source. However, a researcher has warned of three security update issues that infosec pros and Web administrators need to pay attention to.

In a blog published Wednesday, Fernando Arnaboldi of security consultancy IOActive said he’s found that

–if the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning;

–an attacker may force an admin to check for updates due to a cross-site request forgery vulnerability (CSRF) on the update functionality;

–and Drupal security updates are transferred unencrypted without checking the authenticity, which could lead to code execution and database access.

For the time being, he said, administrators should manually download updates for Drupal and any plug-ins being used.

In an email Thursday to ITWorldCanada.com Drupal security team member Greg Knaddison said developers will have a detailed response shortly. But for now they feel “the risk/impact has been overstated.

Also this week Drupal competitor WordPress released version 4.4.1 with a number of security fixes including one for a cross-site scripting vulnerability. WordPress “strongly” encourages users to update their platforms.
Drupal, now on version 8.0.2, is used by a number of organizations around the world. There are Drupal support groups in Ottawa, Montreal, Waterloo and Toronto.

Arnaboldi said he discovered the first problem a few days after installing Drupal v7.39, when learned security update v7.41 was available. However, according to his local instance, his software was up to date. “The issue was due to some sort of network problem,” he wrote. Apparently in Drupal 6 there was a warning message if an update failed, but not present in Drupal 7 or Drupal 8, he said.

Other Web sites that have seen this have noted the warning failure could make administrators think their unpatched systems are safe.

While administrators could use Drupal’s Check Manually link, Arnaboldi cautions that in versions before Drupal 8 that link has a CSRF vulnerability. To exploit unencrypted updates, he says, an attacker must be able to eavesdrop on the victim’s network traffic — likely when a client communicates with the server over an insecure connection. Another possible attack vector is to offer a backdoored version of any of the modules installed on Drupal.

“Offering fake updates is a simple process.” Arnaboldi believes. “Once requests are being intercepted, a fake update response can be constructed for any module. When administrators click on the “Download these updates” buttons, they will start the update process.”


Read more: http://www.itworldcanada.com/article/drupal-cms-admins-cautioned-about-update-problems/379806#ixzz3wgO3PVYz 
or visit http://www.itworldcanada.com for more Canadian IT News 
From itworldcanada

Comments

Post a Comment

Popular posts from this blog

SEO Consultant Momenul Ahmad

SEO consultant a person, One Momenul Ahmad, Who not only help business but also as a SEO Consultant Momenul Ahmad, He helps SEOs (SEO Starter,Freelancer,SEO Expert,SEO Specialist, Digital Marketing Professional) giving speech throw (video,podcast,conference),Writing articles (digital media,print media) besides this as a SEO learner,SEO specialist, SEO expert and Digital Marketing Professional You can learn from him by joing on his SEO "Consultant Momenul Ahmad Domain Name Register, Website Developer, Website Designer, Website Monetizer,Search Engine Optimization,Search Engine Marketing,Social Media Marketing, Social Media Optimization,CRM,CMS,SMS expertise and the owner of   SEO Website:-SEO Siri  " and SEO Blog:- SEO Fix Up  or stay up to date across social media, you can join with him  LinkedIn ,  Facebook ,  Twitter ,  Instagram ,  Pinterest   also You have an opportunity to meet up with him on  Quora  and YouTube Channel ...
3 comments
Read more

Back-links are the power

submitted by me Backlink Status http://toolbar.netcraft.com/site_report?url=badhanpbn.blogspot.com Success http://whois.domaintools.com/badhanpbn.blogspot.com Success http://www.estibot.com/appraise.php?a=appraise&data=badhanpbn.blogspot.com Success http://wayback.archive.org/web/*/http://badhanpbn.blogspot.com Success http://whois.ws/whois/badhanpbn.blogspot.com Success http://www.keywordspy.co.uk/overview/keyword.aspx?q=badhanpbn.blogspot.com Success http://www.aboutdomain.org/info/badhanpbn.blogspot.com/ Success http://www.protect-x.com/info/badhanpbn.blogspot.com Success http://w3techs.com/sites/info/badhanpbn.blogspot.com Success http://checkwebsitesafe.net/badhanpbn.blogspot.com Success http://www.onthesamehost.com/?q=badhanpbn.blogspot.com Success http://www.siteluck.com/en/badhanpbn.blogspot.com Success http://whois.webhosting.info/badhanpbn.blogspot.com Success http://www.pageinsider.com/badhanpbn.blogspot.com Success http://www.rankinsider.com/badha...
Post a Comment
Read more

Chitika Ad Optimization Tips

Source From Chitika Ad Optimization Tips The best spots you can place your Chitika ads are  in  or as close to the  content  as possible. For example, here are your best possible options on a blog: Place the ad directly in between your blog post's title and the actual body of the post Place the ad WITHIN the content of the blog post (i.e. in between paragraphs, lists, etc) Place the ad directly below the post, before the comment option In addition, following the tips below will make your  website look better to advertisers, which helps increase CPM: Get rid of broken images and links Don’t place too much ad content above the fold Disable any full-page pop ups, or pop ups that block site content Keep your site’s focus consistent across the entire site Make your content consistent across the entire site Customize your layout beyond the default template Use proper grammar and limit the use of offensive language Remove any adult content, in...
3 comments
Read more