Critical Vulnerability Uncovered in Drupal. Upgrade Immediately

Open source content management system (CMS) service Drupal announced critical vulnerabilities in Drupal 6 and 7 and released patch.

More than thousands of websites are at risk of compromising important user information and administrative control of the website unless upgraded.

The advisory that announced the vulnerabilities and its fix at DRUPAL-SA-CORE-2015-002, ranks one flaw in the "OpenID" module as Critical, while three other vulnerabilities have been marked Less Critical.

 

What is the vulnerability?

The flaw was discovered in the OpenID module, a single-sign-on extension for Drupal, allows an attacker to log in as other users on the website. Attacker can exploit the bug to impersonate other users including administrator, gaining full control of the website and posing a serious threat to the unpatched website.

Further the advisory said that “This vulnerability is mitigated by the fact that the victim must have an account with an associated OpenID identity from a particular set of OpenID providers (including, but not limited to, Verisign, LiveJournal, or StackExchange).”

Other Less Critical vulnerabilities

Among the other three less critical vulnerabilities, two are Open redirect bugs where an attacker can trick users to visit malicious sites without their knowledge. The fourth bug is an information disclosure vulnerability that could result in malicious user being able to view cached content viewed by other users.

 

How can I protect my website against the vulnerability?

Drupal urges the administrators and site owners to immediately install the latest version of Drupal to ensure the safety of their websites.

Websites using Drupal core 6.x need to upgrade to 6.36 and Drupal core 7.x need to upgrade to 7.38 to safeguard their websites against potential threats and compromise.

Namrata's picture

About the Author

About: 

I am a technology geek and love all things smart and purple. A computer engineer by education, I was once a cubicle dweller at Intuit Inc. But since I had my calling from the written word, I quit my five year old job in software development and started writing. When I am not writing about technology or health, you can find me drinking tea, on facebook, or tinkering a new gadget.

Comments