There are
lots of vulnerabilities that are fixed in the supported Drupal core
versions 6 as well as 7. Various users are feeling string as this
update illustrates the value of Drupal and Open Source as it can be
easily take as challenge to talk to your customers about this.
Let’s have
a look on multiple vulnerabilities that has been fixed:
Cross-site
request forgery protection:
As we all
know that Drupal’s form has been built in cross-site requiest
forgery validation and it enables any type of module to perform its
own validation on the form. In some cases, form validation functions
unsafe operations, but the validation of Drupal core form API has
been changed in this release so that it can be easily skips
subsequent validation if the CSRF validation fails. There are various
other issues that has been faced by lots of people, therefore will
also be fixed by this Drupal core release.
Fault in
pseudorandom number generation using mt_rand:
When it
comes to mt_rand(), Drupal core directly make use of
mt_rand()pseudorandom number generator for developing security
related strings used in various core modules.
Drupal core
directly used the mt_rand() pseudorandom number generator for
generating security related strings used in several core modules. It
was found that brute force tools could determine the seeds making
these strings predictable under certain circumstances.
Moreover,
this vulnerability has no mitigation as all the Drupal websites are
affected until the security update has been applied.
Access
bypass:
For invalid
tokens, the function drupal_valid_token() can be returned as if the
caller does not ensure that the token is a string. Mainly, this
vulnerability is assuaged by the truth that contributed or custom
module must invoke drupal_validate_token() with an argument that can
be manipulated to not be cord by an attacker. Presently, there is no
known core or contributed module, which suffer from this
vulnerability.
Cross-site
Scripting (Image Module):
Before they
are printed to HTML, Image file descriptions are not only properly
sanitized so exposing a cross-site scripting vulnerability. This
vulnerability is alleviated by the fact that an attacker must have a
permission to administer field descriptions.
Cross-site
scripting (Color module):
In the color
module, a cross-website scripting vulnerability was found; however, a
malicious attacker could deception and genuine administrative user
into visiting a page containing specific JavaScript that can lead to
reflected cross-site scripting attack through JavaScript execution in
CSS. This vulnerability can also alleviated by the fact that it can
take place in older browsers and in restricted set of modern
browsers.
So, these
are some of the major security updates released by Drupal for Drupal
6.x and 7.x, so all the users can get benefit of these security
updates and enjoy a lot. To get more information on Drupal development, you can click here.
As we all know that Drupal has released security updates for Drupal
6.x and 7.x so users can get many security features and get lots of
benefits. In this blog, you can get in-depth information about the
security updates, so continue reading this blog…
About the Author
0Awesome Comments!