Search the Community
Showing results for tags 'drupal'.
Drupal, one of the widely used open source content management system is recommending its users to update their software to the latest versions 6.35 and 7.35 after the company discovered two moderately critical vulnerabilities that may allow an attacker to hack Drupal websites. According to a security advisory published yesterday, a flaw found in the Drupal core could allow a potential hacker under certain circumstances to bypass security restrictions by forging the password reset URLs. ACCESS BYPASS / PASSWORD RESET URLs VULNERABILITY Successful exploitation of this Access Bypass vulnerability could leverage the hacker to gain unauthorized access to user accounts without knowing their password. This vulnerability is considered as moderately critical in which an attacker can remotely trick a registered user of Drupal based website, such as an administrator, into launching a maliciously crafted URL in an attempt to take control of the target server. AFFECTED DRUPAL WEBSITES The exploitation of the access bypass vulnerability on Drupal 7 website is possible only if the account importing or programmatically editing process results in the password hash in the database being the same for multiple user accounts. The websites running Drupal 6 are at greater risk, because the administrators of the websites have created multiple new user accounts protected by the same password. Moreover, the security vulnerability can also be exploited in the Drupal 6 websites where accounts have been imported or programmatically edited in a way that results in the password hash field in the database being empty for at least for one user account. OPEN REDIRECT VULNERABILITY The affected versions of Drupal CMS are also susceptible to an open redirect vulnerability. Drupal action URLs contain a "destination" parameter in it, which can be used by cyber criminals to redirect users to a third-party location with malicious content. According to the Drupal team, there are multiple URL-related API functions in affected versions of Drupal 6 and 7 which can be used by attackers into passing through external URLs when not required. This could potentially lead to additional open redirect vulnerabilities. The issue is actually serious because Drupal is used to power over 1 billion websites on Internet, which puts Drupal in third place behind the Wordpress and Joomla. Drupal provides a Content management system for websites including MTV, Popular Science, Sony Music, Harvard and MIT. RECOMMENDATIONS Website administrators are strongly recommended to take some necessary steps: Update to the latest version of Drupal core, i.e. Drupal core 6.35 and Drupal core 7.35 Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Do not click on links from unknown sources. Do not open email attachments from unknown or untrusted sources. Consider implementing file extension whitelists for allowed e-mail attachments. Source
Vreau sa va prezit un program f frumusel cu care poti face orice template vrei in csm-urile de sus mentionate joomla, wordpress, drupal si personale. Acest program se numeste Artisteer 2. Il puteti downloada e aici RapidShare: 1-CLICK Web hosting - Easy Filehosting E foarte usor de utilizat si poti face cu tot ce vrei in leg cu template, fara a avea nici o legatura cu vreun limbaj de programare, jucati-va cu el si il veti descoperii mai bine. Aveti aici un site in care am folosit acest program Welcome to the Frontpage Aveti aici o prezentare a acestui program eu sunt foarte multumit de el si il folosesc de mult timp, incercati-l si voi. Si uploadatil pe un alt server ca nu se poate downloada de multe ori de pe rappidshare. Sper sa va fie util.