- #DOWNLOADING DRUPAL SECURITY UPDATES UPDATE#
- #DOWNLOADING DRUPAL SECURITY UPDATES SOFTWARE#
- #DOWNLOADING DRUPAL SECURITY UPDATES CODE#
That thread’s existed since April 2012 and was reopened after Arnaboldi reached out to Drupal last November. “Administrators may unwillingly be forcing their servers to request unlimited amounts of information from to consume network bandwidth,” Arnaboldi wrote.Īrnaboldi told Threatpost Wednesday that older sites running Drupal could also fall victim to a denial of service attack through more or less the same means, if the downstream network bandwidth of a website is lower than the upstream network bandwidth of .Īrnaboldi acknowledged that IOActive had a private discussion with Drupal’s security team about the issues and eventually agreed to keep a thread discussing the encryption issue public on. Users can check for updates however, thanks to a “Check Manually” link, and that’s where the third issue comes into play.Īccording to Arnaboldi, an attacker could use the same static link in a cross-site request forgery attack, or further leverage the vulnerability on Drupal builds that predate Drupal 8 to carry out a server-side request forgery attack. Instead of giving a warning message, it simply tells users “All your projects are up to date.”
#DOWNLOADING DRUPAL SECURITY UPDATES UPDATE#
The last two versions of the CMS, including the latest one, released in November, fail to notify users when they encounter a network problem during the update process. One of the newer issues isn’t exactly a vulnerability, but does seem like something that could wind up giving users a false sense of security.
#DOWNLOADING DRUPAL SECURITY UPDATES SOFTWARE#
After the update process is started, and the attacker runs a module, they could theoretically retrieve the Drupal database password and execute code.Īs there’s no fix available, Arnaboldi is encouraging those who use the software to manually download updates for it, and its add-ons, to stay safe.
In his proof of concept, the Arnaboldi names an update “7.41 Backdoored,” and it’s downloaded. The update process involves Drupal downloading a plaintext version of a XML file, but Arnaboldi points out the XML file could point to a backdoored version of Drupal, or a version from an untrusted server. To exploit the vulnerability an attacker would have to be on the same network and carry out a man-in-the-middle attack, Arnaboldi writes. The issue that’s lingered the longest Arnaboldi claims is that Drupal’s updates aren’t encrypted when they’re transferred, nor does the CMS verify the authenticity of the updates when they come across. Arnaboldi wrote a blog entry describing three of the issues, including one that has existed in the wild in some shape or form for years, and two which are being disclosed for the first time this week. The vulnerabilities lie in the way Drupal processes updates, according to Fernando Arnaboldi, senior security consultant with IOActive.
#DOWNLOADING DRUPAL SECURITY UPDATES CODE#
A number of issues exist in the content management system Drupal that could lead to code execution and the theft of database credentials via a man-in-the-middle attack, a researcher warns.
0 kommentar(er)
