Friday, January 15, 12:55
Home security Drupal: Security updates to deal with exploits

Drupal: Security updates to deal with exploits

The developers of the content management system Drupal (CMS) were released emergency updates security due to the availability of some exploits, which may endanger the systems.

Drupal exploits
Drupal: Security updates to deal with exploits

The basic ones updates released for Drupal 7, 8.8, 8.9 and 9.0 on November 25 face two vulnerabilities that affect the PEAR Archive_Tar, a third-party library designed for handling files .tar in PHP.

Updates fix two vulnerabilities named CVE-2020-28948 and CVE-2020-28949.

Exploitation involves manipulating filenames and can allow an attacker to execute PHP code or overwrite files, including important files such as / etc / passwd and / etc / shadow.

The researcher who mentioned the vulnerabilities, published and proof-of-concept (PoC) exploits, That's why Drupal developers decided to release special updates for them users, to protect them from a possible attack.

According to the update schedule, the patch released on November 25 is not a basic update. However, this was necessary because there are known exploits that make certain Drupal configurations vulnerable to attacks.

Security updates
Drupal: Security updates to deal with exploits

Drupal developers have pointed out that exploitation is possible if the CMS is configured to allow the uploading of .tar, .tar.gz, .bz2 or .tlz files. Last year, similar vulnerabilities related to the same PEAR library were fixed. The developers said that the current vulnerabilities are not related to last year, although the same configuration changes may alleviate the problem. One of the tips that experts give to users is to prohibit untrusted users from downloading archives with the above extensions.

This is the sixth update security released this year for the Drupal CMS. The fifth patch was also released this month to fix one vulnerability which allowed an attacker to execute code remotely.

Source: Security Week

LEAVE ANSWER

Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortresshttps://www.secnews.gr
Pursue Your Dreams & Live!

LIVE NEWS

Classiscam: Fraudsters "fake" brands and deceive users of European markets!

Dozens of criminal gangs publish fake ads in popular online markets, to attract unsuspecting users to "fraudulent" commercial sites or phishing ...

iOS 14.4: Displays a notification for repairs with non-genuine cameras

Starting with the iPhone 11, Apple has added a notification to iOS that tells the user when the device has a ...

Facebook: Sues Chrome extensions developers for data theft

Facebook has filed a lawsuit against two Portuguese nationals for developing Chrome extensions that collected data from Facebook users.

Cisco does not fix 74 bugs in RV routers that have reached their EOL

Cisco said yesterday that it will not release firmware updates to fix 74 vulnerabilities that have been reported in ...

Hacker commits new crimes while waiting for his release!

A Kosovo hacker was pardoned after his conviction. The hacker provided personally identifiable information over 1.000 ...

Nintendo rules out Game & Watch video hacking

Two copyright claims against a YouTuber have been filed by Nintendo, for a video showing hacking of Super Mario ...

The number of reported CVEs increased by 6%!

According to a new analysis released on the level and volume of vulnerabilities in 2020, the total number of CVEs ...

Google: Removed 164 apps that featured out-of-context ads

Google removed 164 Android applications from the official Play Store, after security researchers discovered that the specific apps were bombarding them ...

Britain: Loss of 150.000 police records from a database

Some 150.000 police records have been deleted from its database as a result of a technical problem, according to the British government.