Recently, Drupal has released security updates for Drupal 6.x and Drupal 7.x. All the site owners, who are using Drupal based website, can review the solutions and maintain their site wonderfully. For all the site owners, it is recommended that schedule this upgrade within the next 7 – 14 days so that they get the benefit of security updates.
There are lots of vulnerabilities that are fixed in the supported Drupal core versions 6 as well as 7. Various users are feeling string as this update illustrates the value of Drupal and Open Source as it can be easily take as challenge to talk to your customers about this.
Let’s have a look on multiple vulnerabilities that has been fixed:
Cross-site request forgery protection:
As we all know that Drupal’s form has been built in cross-site requiest forgery validation and it enables any type of module to perform its own validation on the form. In some cases, form validation functions unsafe operations, but the validation of Drupal core form API has been changed in this release so that it can be easily skips subsequent validation if the CSRF validation fails. There are various other issues that has been faced by lots of people, therefore will also be fixed by this Drupal core release.
Fault in pseudorandom number generation using mt_rand:
When it comes to mt_rand(), Drupal core directly make use of mt_rand()pseudorandom number generator for developing security related strings used in various core modules.
Drupal core directly used the mt_rand() pseudorandom number generator for generating security related strings used in several core modules. It was found that brute force tools could determine the seeds making these strings predictable under certain circumstances.
Moreover, this vulnerability has no mitigation as all the Drupal websites are affected until the security update has been applied.
For invalid tokens, the function drupal_valid_token() can be returned as if the caller does not ensure that the token is a string. Mainly, this vulnerability is assuaged by the truth that contributed or custom module must invoke drupal_validate_token() with an argument that can be manipulated to not be cord by an attacker. Presently, there is no known core or contributed module, which suffer from this vulnerability.
Cross-site Scripting (Image Module):
Before they are printed to HTML, Image file descriptions are not only properly sanitized so exposing a cross-site scripting vulnerability. This vulnerability is alleviated by the fact that an attacker must have a permission to administer field descriptions.
Cross-site scripting (Color module):
So, these are some of the major security updates released by Drupal for Drupal 6.x and 7.x, so all the users can get benefit of these security updates and enjoy a lot. To get more information on Drupal development, you can click here.
As we all know that Drupal has released security updates for Drupal 6.x and 7.x so users can get many security features and get lots of benefits. In this blog, you can get in-depth information about the security updates, so continue reading this blog…