Drupal – Insecure Update Process, has been known since 2012

Source: IOActive Labs Research: Drupal – Insecure Update Process

Issue #1: Whenever the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning.

Issue #2: An attacker may force an admin to check for updates due to a CSRF vulnerability on the update functionality

Issue #3: Drupal security updates are transferred unencrypted without checking the authenticity, which could lead to code execution and database access.

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

Leave a Reply