Posts Tagged ‘Drupal’


New security vulnerabilities 2015Several new security vulnerabilities of varying severity has been found by security researchers

Several new security vulnerabilities of varying severity has been found by security researchers:

  • System compromise in Android (high severity vulnerability)
  • Bypassing security restrictions on Apache Tomcat (middle severity vulnerability)
  • Multiple vulnerabilities in CMS Drupal (low severity vulnerability)
  • Compromising the system in Apple QuickTime for Windows (high severity vulnerability) (more…)

Drupal vulnerabilitiesDue to the critical vulnerability (CVE-2014-3704) that allows an attacker to gain access to the administrator account, developers are advised to roll back to a backup or recreate the site from scratch.

According to the developers of the popular CMS (content management system) Drupal, all web-sites based on Drupal 7.x can be compromised. The problem is related to a critical vulnerability that could allow an unauthorized user to execute arbitrary SQL-queries to the database resource and uncover the administrator password.

According to the developers, attacks using this breach began immediately after after the announcement October 15 this year. Even those web-sites, which administrators have enough time to apply the update may still be compromised. (more…)


Drupal vulnerabilitiesThe critical vulnerability in Drupal (CVE-2014-3704)

In the release of web content management system Drupal 7.32 fixed a critical vulnerability (CVE-2014-3704), which allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. The vulnerability assigned the highest level of danger (Highly critical), what indicates the possibility of the remote attacks that can lead to gaining access to the system.

The vulnerability is caused by a bug in the implementation of the method “prepared statement” in thedatabase abstraction API and can be exploited by anonymous users. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. (more…)

Drupal logo

Drupal vulnerabilities

Cyber Security Notification: New Vulnerabilities of September 2014

Security vulnerabilities related to Drupal – content management system: Descriptions of vulnerabilities related to products of this vendor of September 13, 2014.

1. Vulnerability: Cross-site scripting in Drupal Custom BreadCrumbs

Danger level: Low
Availability Corrections: Yes
Number of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: P / A: N / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7 (more…)

Drupal logo

Drupal.org hacked

Drupal.org hacked, you need to change passwords

Passwords are almost a million users of the service have been dumped Drupal.org administration, after hackers managed to gain unauthorized access to private user data.

Drupal.org – this is the official website of popular open source content management system.

Hacking is the result of an attack carried out in respect of an unnamed third-party application that works with Drupal, and not by the CMS system as such, said Holly Ross, executive director of the Drupal Association blog. During the attack were skompropetirovany user names, email addresses, information about the country and cryptographically secure passwords. However, while the analysis is not complete, and some additional data could also be in the hands of the organizers of the attack. (more…)

Drupal logoVulnerability: Disclosure of sensitive data in Drupal

Danger: Low
If the Patch: Yes
Number of vulnerabilities: 1

Impact: Disclosure of sensitive data
Affected products: Drupal 7.x
Affected versions: Drupal version to 7.16.

Description:

The vulnerability allows a remote user to gain access to sensitive data on the system. (more…)

Drupal logoVulnerability: Multiple vulnerabilities in Drupal Basic webmail

Danger: Middle
Patch: Yes
Number of vulnerabilities: 3
Impact: Cross Site Scripting, Disclosure of sensitive data

Affected products: Drupal Basic webmail Module 6.x

Affected versions: Drupal Basic webmail version to 6.x-1.2, maybe earlier. (more…)

Drupal logoDrupal (from the Dutch. Druppel – drop) – Content Management System (CMS) written in PHP and uses as a repository content relational database (supports MySQL, PostgreSQL, and any database supported library PEAR).

Drupal is a free software license GPL-protected and created by the efforts of enthusiasts from around the world. Began development Dutchman Dries Buytaert, which still is the leader of the project.

Drupal architecture allows it to build different types of sites – from blogs and forums to information archives and news sites. Functionality is provided by plugins that access common API Drupal. A standard set of modules includes, for example, features such as news feed, blog, forum, downloads, news collector, voting, and other search large number of additional modules, greatly extend the basic functionality can be downloaded from the official site. (more…)

Cross-site scriptingXSS in Drupal Exposed Filter Data

Impact: Cross Site Scripting

Affected products: Drupal Exposed Filter Data Module 6.x

Affected versions: Drupal Exposed Filter Data to version 6.x-1.2.

Description:

The vulnerability allows malicious people to conduct XSS attacks. (more…)

Cross-site scriptingCSRF attack in Drupal Heartbeat

Impact: Cross Site Scripting

Affected products:

– Drupal Heartbeat Module 6.x;
– Drupal Heartbeat Module 7.x

Affected versions: Drupal Heartbeat version to 6.x-4.12, possibly earlier. (more…)