Drupal Multiple Vulnerabilities - Security Advisory

Posted by: Admin in Security Advisory on Sep 18, 2009

Tagged in: vulnerability , security , installatron , exploit , drupal , auto-update

security warning

This Security Advisory was delivered by Hanzo Host to help our customers
and friends keep their systems up-to-date against the latest vulnerabilities.

Security Advisory

Drupal Multiple Vulnerabilities

Info:

Some vulnerabilities have been reported in Drupal, which can be exploited to hijack accounts, compromise a vulnerable system and to conduct cross-site request forgery attacks.

  1. The OpenID module allows users to perform certain actions via HTTP requests without performing any validation checks to verify the requests. This can be exploited to e.g. add OpenID identities to existing accounts.
  2. An unspecified error within the OpenID Authentication 2.0 implementation can be exploited to hijack another user's account if the same OpenID 2.0 provider is used.
  3. An error within the File API when processing certain file extensions can be exploited to e.g. upload files which can be executed by the web server.

 

The vulnerabilities are reported in versions prior to 6.14.


Solution:

Upgrade to teh latest version of Drupal.

An one-click update is available to Hanzo Host customers within your account. Please update your install as soon as possible via your cPanel:

1.) log in to cPanel
2.) scroll down the page to
Software / Services > Installatron Applications Installer

3.) Available updates are highlighted
4.) Click on the options you wish to update

 

If you have any questions please contact Support by raising a ticket via the Customer Portal

Many thanks!