In association with heise online

20 October 2007, 00:01

Security updates for Drupal CMS

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Versions 4.7.8 and 5.3 of Drupal resolve a number of security vulnerabilities in prior versions. The developers consider one flaw in the installer to be critical. If the SQL server that has been entered is not available, the installer asks the user for another server. This enables the user to smuggle his own code into the system. The developers suggest deleting install.php in the root directory of the installation as a quick workaround. Other vulnerabilities enable HTTP response splitting, cross site request forgery and cross site scripting.

Individual patches are available for all the vulnerabilities, but the Drupal team strongly recommends upgrading to 4.7.8 or 5.3 since they contain additional minor bug fixes. However, there are no new features in these upgrades.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit