Skip to main content

Drupal CMS admins cautioned about update problems

The open source Drupal content management platform is among the top free CMS in the world, with an estimated 15 million downloads according to one source. However, a researcher has warned of three security update issues that infosec pros and Web administrators need to pay attention to.

In a blog published Wednesday, Fernando Arnaboldi of security consultancy IOActive said he’s found that

–if the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning;

–an attacker may force an admin to check for updates due to a cross-site request forgery vulnerability (CSRF) on the update functionality;

–and Drupal security updates are transferred unencrypted without checking the authenticity, which could lead to code execution and database access.

For the time being, he said, administrators should manually download updates for Drupal and any plug-ins being used.

In an email Thursday to ITWorldCanada.com Drupal security team member Greg Knaddison said developers will have a detailed response shortly. But for now they feel “the risk/impact has been overstated.

Also this week Drupal competitor WordPress released version 4.4.1 with a number of security fixes including one for a cross-site scripting vulnerability. WordPress “strongly” encourages users to update their platforms.
Drupal, now on version 8.0.2, is used by a number of organizations around the world. There are Drupal support groups in Ottawa, Montreal, Waterloo and Toronto.

Arnaboldi said he discovered the first problem a few days after installing Drupal v7.39, when learned security update v7.41 was available. However, according to his local instance, his software was up to date. “The issue was due to some sort of network problem,” he wrote. Apparently in Drupal 6 there was a warning message if an update failed, but not present in Drupal 7 or Drupal 8, he said.

Other Web sites that have seen this have noted the warning failure could make administrators think their unpatched systems are safe.

While administrators could use Drupal’s Check Manually link, Arnaboldi cautions that in versions before Drupal 8 that link has a CSRF vulnerability. To exploit unencrypted updates, he says, an attacker must be able to eavesdrop on the victim’s network traffic — likely when a client communicates with the server over an insecure connection. Another possible attack vector is to offer a backdoored version of any of the modules installed on Drupal.

“Offering fake updates is a simple process.” Arnaboldi believes. “Once requests are being intercepted, a fake update response can be constructed for any module. When administrators click on the “Download these updates” buttons, they will start the update process.”


Read more: http://www.itworldcanada.com/article/drupal-cms-admins-cautioned-about-update-problems/379806#ixzz3wgO3PVYz 
or visit http://www.itworldcanada.com for more Canadian IT News 
From itworldcanada

Comments

Post a Comment

Popular posts from this blog

SEO Consultant Momenul Ahmad

SEO consultant a person, One Momenul Ahmad, Who not only help business but also as a SEO Consultant Momenul Ahmad, He helps SEOs (SEO Starter,Freelancer,SEO Expert,SEO Specialist, Digital Marketing Professional) giving speech throw (video,podcast,conference),Writing articles (digital media,print media) besides this as a SEO learner,SEO specialist, SEO expert and Digital Marketing Professional You can learn from him by joing on his SEO "Consultant Momenul Ahmad Domain Name Register, Website Developer, Website Designer, Website Monetizer,Search Engine Optimization,Search Engine Marketing,Social Media Marketing, Social Media Optimization,CRM,CMS,SMS expertise and the owner of   SEO Website:-SEO Siri  " and SEO Blog:- SEO Fix Up  or stay up to date across social media, you can join with him  LinkedIn ,  Facebook ,  Twitter ,  Instagram ,  Pinterest   also You have an opportunity to meet up with him on  Quora  and YouTube Channel just type on YouTube search box, SEO Fix Up and e
4 comments
Read more

Back-links are the power

submitted by me Backlink Status http://toolbar.netcraft.com/site_report?url=badhanpbn.blogspot.com Success http://whois.domaintools.com/badhanpbn.blogspot.com Success http://www.estibot.com/appraise.php?a=appraise&data=badhanpbn.blogspot.com Success http://wayback.archive.org/web/*/http://badhanpbn.blogspot.com Success http://whois.ws/whois/badhanpbn.blogspot.com Success http://www.keywordspy.co.uk/overview/keyword.aspx?q=badhanpbn.blogspot.com Success http://www.aboutdomain.org/info/badhanpbn.blogspot.com/ Success http://www.protect-x.com/info/badhanpbn.blogspot.com Success http://w3techs.com/sites/info/badhanpbn.blogspot.com Success http://checkwebsitesafe.net/badhanpbn.blogspot.com Success http://www.onthesamehost.com/?q=badhanpbn.blogspot.com Success http://www.siteluck.com/en/badhanpbn.blogspot.com Success http://whois.webhosting.info/badhanpbn.blogspot.com Success http://www.pageinsider.com/badhanpbn.blogspot.com Success http://www.rankinsider.com/badha
Post a Comment
Read more

Ways to Increase the Clickthrough Rates of Your Banner Ads

Banner ads were first introduced some 20 years ago and have been an inseparable part of the web ever since. However, there has been a continued decline in banner clickthrough rates,  which where around 78% in 1994  and have fallen to 0.1% now. This is largely due to the fact that banners were a novelty in the past and if anything, consumers love novelty and innovation. By now, ads have become so common that  92% of users don’t even notice them  when surfing the web. Don’t let those statistics get the better of you though, banner ads still work, they just require more work and dedication than before. Here are 9 tips that will help you increase the clicks on your banner ads. 1. Put Yourself in Your Readers’ Shoes When designing your banner ad, take the time to think from your readers’ perspective. What would they require to see/read to actually click the ad? It doesn’t matter how much you like or dislike the banner ad, it’s more important how consumers will react to it. Consumers are ver
Post a Comment
Read more