Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Drupal installations open to attack caused by faulty update process

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

January 7, 2016

Content management firm Drupal said earlier today that some of its installations could be out of date and open to attack caused by a faulty update process that flags unpatched platforms as current.

The widely-used content management system is used by more than a million sites making it a significant target for potential hackers and cybercriminals.

In October 2014, attackers took just a few hours to compromise thousands of websites whose administrators had failed to apply a security patch update against a dangerous SQL injection flaw.

At that time, Drupal went as far as to proclaim all unpatched sites are considered compromised unless the proper patches were immediately applied.

All new Drupal installations are affected by the faulty update mechanism and fixes are not yet available. Drupal has been informed of the risk.

'IO Active' research spokesperson Fernando Arnaboldi says that sites are now at risk of future attack because Drupal versions 7 and 8 are being marked as up-to-date, even if the automated patching process fails due to dead or defective internet links.

"Whenever the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning message, which is at the core of the issue," Arnaboldi asserted users.

"The problem was due to some sort of network issue. In Drupal version 6 there was a warning message in place, but this is not present in Drupal 7 or Drupal 8," he added.

Arnaboldi found other similar security flaws including the update process when it's made over HTTP instead of HTTPS, opening the added possibility for man-in-the-middle attacks over public networks, further aggravating the problem.

Thanks to a known cross-site request forgery hole in Drupal versions below 8, those network hackers could trigger a manual update pointing to their backdoored version of the platform, he explained.

Attackers could also cause some Drupal installations to issue infinite update requests, consuming large amounts of bandwidth in the process.

Various failures to verify the legitimacy of those downloaded updates could also lead to remote code execution, according to Arnaboldi. We'll keep you updated on these and other security news.

Source: Drupal CMS.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer