Drupal floored by poor update security

Stefan Mileschin · 10th January 2016, 11:03

Web content management studio Drupal is flawed by several bugs in its update process which could allow hackers to take over the sites the CMS creates.

Drupal is not as popular as WordPress but is used by some fairly serious content businesses. Now IOActive’s Fernando Arnaboldi has warned that there are three major flaws in Drupal’s update process that may allow attackers to poison Drupal installations via update packages.

In the worst cases, even servers can be taken over.

Drupal can be updated from its backend administration panel, just by pressing a button. The CMS is also fitted with an automatic update checker, for both its core and its modules. This lets admins know when a new version is out and allows them to quickly apply the update package and move on to other more important things.

The first problem is with failed update queries. Because of various connectivity issues, Drupal sites may sometimes fail when checking for an update. When this happens, the CMS prints the “All your projects are up to date” message, instead of clearly stating that the update has failed to complete.

http://www.techeye.net/internet/drup...pdate-security

10th January 2016, 11:03	#1
Stefan Mileschin [M] Reviewer Join Date: May 2010 Location: Romania Posts: 148,553	Drupal floored by poor update security Web content management studio Drupal is flawed by several bugs in its update process which could allow hackers to take over the sites the CMS creates. Drupal is not as popular as WordPress but is used by some fairly serious content businesses. Now IOActive’s Fernando Arnaboldi has warned that there are three major flaws in Drupal’s update process that may allow attackers to poison Drupal installations via update packages. In the worst cases, even servers can be taken over. Drupal can be updated from its backend administration panel, just by pressing a button. The CMS is also fitted with an automatic update checker, for both its core and its modules. This lets admins know when a new version is out and allows them to quickly apply the update package and move on to other more important things. The first problem is with failed update queries. Because of various connectivity issues, Drupal sites may sometimes fail when checking for an update. When this happens, the CMS prints the “All your projects are up to date” message, instead of clearly stating that the update has failed to complete. http://www.techeye.net/internet/drup...pdate-security

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Latest Flash update fixes a whopping 79 security holes	Stefan Mileschin	WebNews	0	10th December 2015 14:24
Google rolling out security update for Nexus devices	Stefan Mileschin	WebNews	0	10th September 2015 08:21
OS X Yosemite update tackles 'surprise' Mac security flaws	Stefan Mileschin	WebNews	0	28th January 2015 09:13
OS X update closes networking security hole, brings more FaceTime features	Stefan Mileschin	WebNews	0	26th February 2014 08:04
Android 4.3 security update rolling out to Nexus devices, build JWR66Y	Stefan Mileschin	WebNews	0	22nd August 2013 07:11
Microsoft Pulls Security Update	Stefan Mileschin	WebNews	0	15th April 2013 07:57
Drupal 7 dives into machine-readable web	Shogun	WebNews	0	9th January 2011 06:41
Firefox update kills security bugs, adds Mac support	Sidney	WebNews	2	14th April 2006 08:51
New Windows vulnerabilities rounded up in Microsoft's February security update	Sidney	WebNews	0	9th February 2005 19:15
Microsoft Releases Security Update	Sidney	WebNews	0	3rd July 2004 16:13