In association with heise online

18 September 2009, 09:19

Security updates for Drupal

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers of the open source Drupal content management system have released versions 5.20 and 6.14 to fix four vulnerabilities. The holes include a cross-site request forgery vulnerability that allows attackers to add their own OpenID to an existing Drupal account and subsequently access the account. For the attack to be successful, however, the victim must be logged into Drupal and access a malicious web page. Another flaw in the OpenID implementation allows a user to access another user's account if both are connected to the same OpenID-2.0 provider.

A further flaw in Apache's file API allows executable files to be uploaded to a server. However, this is reportedly only possible if the server is configured to ignore the settings in the .htaccess file in the upload directory. The advisory doesn't indicate when this could potentially be the case. The update for version 5.x also closes a session fixation hole that allows attackers to take over a user's session.

The developers rate the holes as critical and recommend that users update as soon as possible. Those who plan to update are advised to read the update notes before going ahead as there are a number of database changes associated with the update. Appropriate patches have also been released.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit