Every now and then an important Drupal core security update is released, and on the 17th June one came along that affects both Drupal 6 and Drupal 7. The update relates to a few Drupal components:

  • The OpenID module that ships with Drupal core and allows users to log into Drupal websites using accounts on 3rd party websites is updated to prevent malicious users being able to log in as other users on the site, including administrators, and hijack their accounts under certain conditions.
  • The Field UI module in Drupal 7 is patched to prevent malicious users being able to redirect website visitors to 3rd party websites under certain conditions. This vulnerability is mitigated by the fact that only sites with the Field UI module enabled are affected.
  • The Overlay module in Drupal 7, which displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window is patched to further validate URLs prior to displaying their contents, to prevent users being redirected to 3rd party websites. This vulnerability is mitigated by the fact that it can only be used against site users who have the "Access the administrative overlay" permission, and that the Overlay module must be enabled.

Find out more about website security    [icon:fontawesome:chevron-right]

More information about these updates can be found in the security advisory in the release notes for Drupal 7.38 and Drupal 6.36, SA-CORE-2015-002. If you are an O'Brien Media customer you can find out more about security updates for your website in our support pages.

Feeling social? Share this with friends and colleagues...

Share on facebook
Share on twitter
Share on linkedin
Share on skype
Share on whatsapp
Share on email