This article is more than 1 year old

Drupal drips out ten new patches, one worthy of immediate attention

Version 6.0 sent to code heaven, where old open source projects frolic among unicorns

Drupal has patched 10 holes in its platform that allow attackers to do things like access blocked resources and gain remote code execution.

The world's second-most-popular content management system also sent its sixth version to end-of-life status.

Six of the flaws are considered moderately severe and three minor for affected versions six, seven, and eight.

The critical file upload bypass affects versions seven and eight, the Drupal security team says.

"An access bypass vulnerability was found that allows input to be submitted, for example using JavaScript, for form button elements" which users otherwise should not have access to, they say .

"This vulnerability is mitigated by the fact that the attacker must have access to submit a form that has such buttons defined."

Other less critical flaws are largely mitigated by the fact that most users would run updated software that attackers rely on being unpatched, and for certain modules to be installed.

One moderately-critical flaw is shared by top spot and rival content management system WordPress in which the XM-RPC platform can be abused for brute force password attacks.

Only the now-abandoned Drupal six is vulnerable and will be one of the lesser security concerns in coming months for those not willing to upgrade.

The update is entirely security-related only and does not contain new features. A scattering of independent researchers and bods from rival Joomla together with Drupal crew are credited for the finds. ®

More about

TIP US OFF

Send us news


Other stories you might like