The Drupal Security Team has released a critical software update for the Drupal Content Management System (CMS).Users with websites running either Drupal 6 or Drupal 7 are urged to upgrade immediately. The most serious issue consists of a vulnerability in Drupal's OpenID module, a single-sign-on extension for the CMS that allows users to log in using OpenID. Attackers can exploit this bug to impersonate other users, including all-powerful administrators, and thereby gain control of an unpatched website. Websites with the OpenID module enabled should see the option “Log in with OpenID” underneath the username and password fields on the login page. Other three less critical bugs identified include two open redirect vulnerabilities that could allow crooks to send unsuspecting users off to booby-trapped sites, and a bug that could let users take unauthorised peeks at each other’s private information.
Naked Security Sophos
IT Security News Info
The information provided herein is on "as is" basis, without warranty of any kind.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street