Explore top 10 tips to secure your open-source projects now. Read More
×Developers of popular open-source CMS Drupal are warning admins to immediately patch a flaw that an attacker can exploit just by visiting a vulnerable site.. The bug affects all sites running on Drupal 8, Drupal 7, and Drupal 6. Drupal's project usage page indicates that about a million sites are running the affected versions. . The bug affects all sites running on Drupal 8, Drupal 7, and Drupal 6. Drupal's project usage page i. developers, popular, open-source, drupal, warning, admins, immediately, patch. . LinuxSecurity.com Team
Nearly six months have passed since a major Drupal SQL injection vulnerability was disclosed, and yet attackers are continuing to try, sometimes successfully, to exploit websites that have failed to update their systems. . Trustwave analyzed one such exploitation in a Friday blog post that, more than anything, stresses the importance of keeping up with patching, said Ryan Barnett, senior lead security researcher at Trustwave, in an interview with SCMagazine.com. The link for this article located at SC Magazine is no longer available. . Trustwave analyzed one such exploitation in a Friday blog post that, more than anything, stresses th. nearly, months, passed, since, major, drupal, injection, vulnerability, disclosed. . LinuxSecurity.com Team
Webmasters running unfinished modules for Drupal do so at their own risk after the open-source CMS updated its guidelines on fixing security vulnerabilities.. The project has updated the wording on its security site on how it handles security fixes to clarify it will only work on vulnerabilities in completed code of modules that comprise the CMS. The change clarifies that modules in release-candidate mode will not be supported. Drupal will work with maintainers of modules that are code complete, with maintainers now given a deadline to fix the problem. If the deadline's missed, the module and the project will be unpublished from Drupal.org. Vulnerabilities in unfinished code will simply be flagged in the module's issue queue. The clarifications are a response to the discovery of a potentially serious XSS hole in the Drupal Context module three weeks after White House developers proudly released their own plug-in based on the buggy module. The link for this article located at The Register UK is no longer available. . Joomla enhances its safety protocols, restricting assistance solely to fully developed components, emphasizing risks associated with incomplete extensions.. Drupal Security Updates, Module Risks, CMS Guidelines. . LinuxSecurity.com Team
The development team behind the Drupal module Context have released version 6.x-2.0-rc4, which fixes a cross-site scripting (XSS) vulnerability when displaying block descriptions. If a user with 'administer blocks' permission clicks on a crafted link, JavaScript contained in the link is executed with the privileges of the Drupal page. Attackers can exploit this to gain access to a system. . Just a few weeks ago, a 'simple' XSS vulnerability in a bug-tracking system allowed root access to Apache Software Foundation servers, so XSS vulnerabilities are certainly not to be treated lightly. Update: According to Drupal security team member Heine Deelstra, there is no URL manipulation or JavaScript contained in the link itself involved in the exploitation of the vulnerability. The vulnerability occurs if a user with 'administrator blocks' permission has added JavaScript to a block description on the block administration page. The impact is low since not that many sites using context have role seperation between block admins and other admins. Only a small subsection of the sites using the context release candidate are affected. The link for this article located at H Security is no longer available. . The WordPress plugin Editor Enhancements resolves a minor CSRF vulnerability impacting user roles with editing privileges. Critical security update.. Drupal Security, XSS Attack, Context Module. . LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.