Drupal

Drupal installations could be out of date and open to attack thanks to a borked update process that flags unpatched platforms as current.

The popular content management system is used by more than a million sites making it a significant target for hackers.

IOActive research man Fernando Arnaboldi says sites are now at risk of attack because Drupal 7 and 8 platforms are being marked as up-to-date, even if the automated patching process fails due to dead internet links.

Drupal has shuttered a flaw in its implementation of OpenID that allows attackers to log in as web site administrators.

The flaw (CVE-2015-3234) is the most critical of four and affects versions six and seven of the content management system.

Drupal's security team say attackers can target unpatched systems if they hold an OpenID account. "A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts," the team wrote in an advisory .

The security team for Drupal project is warning users that websites running unpatched installations of version 7 of the popular open source content management system (CMS) may be compromised by automated attacks.

"You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15, 11pm UTC, that is 7 hours after the announcement," the security team said.

If your website runs on a self-hosted WordPress installation or on Drupal, update your software now.

Nir Goldshlager, a security researcher from Salesforce.com's product security team, has discovered an XML vulnerability that impacts the popular website platforms WordPress and Drupal.

A new crowdfunding platform – Drupalfund – is intended to make it easier to contribute to Drupal and accelerate development work on the open source content platform, according to Jozef Toth.

Toth, a co-founder of Drupalfund and the CEO of Slovakia-based Web development agency Mogdesign.eu, said that a large portion of Drupal development has been based on individuals and companies donating time and money to the CMS.

It looks like Drupal.org has suffered a security incident that has exposed user names, email addresses and hashed passwords. Via email:

Dear community member,