1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Drupal to secure its update process with HTTPS

Discussion in 'Network World' started by RSS, Jan 11, 2016.

  1. RSS

    RSS New Member Member

    Developers of the popular Drupal content management system are working to secure the software's update mechanism after a researcher recently found weaknesses in it.

    Last week, researcher Fernando Arnaboldi from security firm IOActive disclosed several issues with the update mechanism in Drupal: the failure of the back-end administration panel to report update errors, a cross-site request forgery (CSRF) flaw that could allow attackers to force admins to repeatedly trigger update checks, and the lack of encryption for update downloads.

    The last issue was the most significant one, because it could have allowed attackers who could intercept the traffic between a Drupal-based site and the official Drupal servers, to inject back-doored updates. Such an attack could lead to the compromise of the site and its database.

    To read this article in full or to leave a comment, please click here

    Continue reading...

Share This Page