New Drupal Releases Fix Bugs

Thursday, November 28, 2013 @ 10:11 AM gHale

After finding a series of security holes, Drupal released 7.24 and 6.29.

Multiple vulnerabilities exist because of an issue with the cross-site request forgery (CSRF) protection. By leveraging the security holes in some contributed modules, cybercriminals could have remotely executed arbitrary code.

RELATED STORIES
Catapult Software DNP3 Driver Bug
GE Proficy DNP3 Improper Input Validation
Nordex NC2 XSS Vulnerability
WellinTech Patches KingView Holes

Users should update their installations as soon as possible, the developers said.

Attackers could exploit a weakness in the pseudorandom number generator for security-related strings to predict the strings with the aid of brute-force tools.

In addition, there are cross-site scripting vulnerabilities in the Image and Color modules in Drupal 7. The Overlay module also had an open redirect flaw.

Drupal uses a .htaccess file to prevent the execution of arbitrary PHP scripts on the Apache web server. However, on certain Apache configurations, the protection doesn’t work. The latest update addresses this problem.

Developers also fixed a security token validation issue attackers could leverage for access bypass.



Leave a Reply

You must be logged in to post a comment.