Skip to main content

Drupal CMS admins cautioned about update problems

The open source Drupal content management platform is among the top free CMS in the world, with an estimated 15 million downloads according to one source. However, a researcher has warned of three security update issues that infosec pros and Web administrators need to pay attention to.

In a blog published Wednesday, Fernando Arnaboldi of security consultancy IOActive said he’s found that

–if the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning;

–an attacker may force an admin to check for updates due to a cross-site request forgery vulnerability (CSRF) on the update functionality;

–and Drupal security updates are transferred unencrypted without checking the authenticity, which could lead to code execution and database access.

For the time being, he said, administrators should manually download updates for Drupal and any plug-ins being used.

In an email Thursday to ITWorldCanada.com Drupal security team member Greg Knaddison said developers will have a detailed response shortly. But for now they feel “the risk/impact has been overstated.

Also this week Drupal competitor WordPress released version 4.4.1 with a number of security fixes including one for a cross-site scripting vulnerability. WordPress “strongly” encourages users to update their platforms.
Drupal, now on version 8.0.2, is used by a number of organizations around the world. There are Drupal support groups in Ottawa, Montreal, Waterloo and Toronto.

Arnaboldi said he discovered the first problem a few days after installing Drupal v7.39, when learned security update v7.41 was available. However, according to his local instance, his software was up to date. “The issue was due to some sort of network problem,” he wrote. Apparently in Drupal 6 there was a warning message if an update failed, but not present in Drupal 7 or Drupal 8, he said.

Other Web sites that have seen this have noted the warning failure could make administrators think their unpatched systems are safe.

While administrators could use Drupal’s Check Manually link, Arnaboldi cautions that in versions before Drupal 8 that link has a CSRF vulnerability. To exploit unencrypted updates, he says, an attacker must be able to eavesdrop on the victim’s network traffic — likely when a client communicates with the server over an insecure connection. Another possible attack vector is to offer a backdoored version of any of the modules installed on Drupal.

“Offering fake updates is a simple process.” Arnaboldi believes. “Once requests are being intercepted, a fake update response can be constructed for any module. When administrators click on the “Download these updates” buttons, they will start the update process.”


Read more: http://www.itworldcanada.com/article/drupal-cms-admins-cautioned-about-update-problems/379806#ixzz3wgO3PVYz 
or visit http://www.itworldcanada.com for more Canadian IT News 
From itworldcanada

Comments

Post a Comment

Popular posts from this blog

SEO Consultant Momenul Ahmad

SEO consultant a person, One Momenul Ahmad, Who not only help business but also as a SEO Consultant Momenul Ahmad, He helps SEOs (SEO Starter,Freelancer,SEO Expert,SEO Specialist, Digital Marketing Professional) giving speech throw (video,podcast,conference),Writing articles (digital media,print media) besides this as a SEO learner,SEO specialist, SEO expert and Digital Marketing Professional You can learn from him by joing on his SEO "Consultant Momenul Ahmad Domain Name Register, Website Developer, Website Designer, Website Monetizer,Search Engine Optimization,Search Engine Marketing,Social Media Marketing, Social Media Optimization,CRM,CMS,SMS expertise and the owner of   SEO Website:-SEO Siri  " and SEO Blog:- SEO Fix Up  or stay up to date across social media, you can join with him  LinkedIn ,  Facebook ,  Twitter ,  Instagram ,  Pinterest   also You have an opportunity to meet up with him on  Quora  and YouTube Channel ...
3 comments
Read more

Back-links are the power

submitted by me Backlink Status http://toolbar.netcraft.com/site_report?url=badhanpbn.blogspot.com Success http://whois.domaintools.com/badhanpbn.blogspot.com Success http://www.estibot.com/appraise.php?a=appraise&data=badhanpbn.blogspot.com Success http://wayback.archive.org/web/*/http://badhanpbn.blogspot.com Success http://whois.ws/whois/badhanpbn.blogspot.com Success http://www.keywordspy.co.uk/overview/keyword.aspx?q=badhanpbn.blogspot.com Success http://www.aboutdomain.org/info/badhanpbn.blogspot.com/ Success http://www.protect-x.com/info/badhanpbn.blogspot.com Success http://w3techs.com/sites/info/badhanpbn.blogspot.com Success http://checkwebsitesafe.net/badhanpbn.blogspot.com Success http://www.onthesamehost.com/?q=badhanpbn.blogspot.com Success http://www.siteluck.com/en/badhanpbn.blogspot.com Success http://whois.webhosting.info/badhanpbn.blogspot.com Success http://www.pageinsider.com/badhanpbn.blogspot.com Success http://www.rankinsider.com/badha...
Post a Comment
Read more

Email Marketing Subject Lines 19 Quick Tips to Improve

Source From Abe Cherian from  Multiple Stream Media to me  19 tips to improve your Email Marketing Subject lines. Abe Cherian he  want to share these 19 tips from Olivia Allen from Blueadz.com -- which I think is "spot on" when it comes to sending emails to your list. Here i publish this as a open source for all new bee. Tip #1:  Keep it short and sweet.   Your subject line should be a maximum of 50 characters. It may prove difficult to get your point across in so few words, but it’s effective. Tip #2:  No one likes talking to a robot. Think about when you call a company and can’t get a hold of an actual person. It’s frustrating, right? This goes for email, as well. Never use " noreply@company.com ." I repeat, never use this email address. Not only does it make it look less personable (therefore less likely for your recipient to open it), it also stops people from adding your email to their address book. Tip #3:  Use personalization token...
Post a Comment
Read more