Patch/Configuration Management, Vulnerability Management

Drupal addresses denial-of-service, session hijacking vulnerabilities

An advisory was issued on Wednesday regarding a denial-of-service (DoS) vulnerability in Drupal 7 and a session hijacking flaw in Drupal 6 and 7.

The DoS vulnerability exists in a password hashing API, the advisory indicates, explaining that an anonymous user can send specially crafted requests that result in CPU and memory exhaustion and, subsequently, the site becoming unavailable or unresponsive.

For the session hijacking flaw, a “specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session,” according to the post.

Upgrading to Drupal core 6.34 or 7.34 will address the “moderately critical” issues, the post indicates. Users who configured a custom session.inc file for Drupal 6 or 7 sites, or a custom password.inc file for Drupal 7 sites, should ensure it is not affected by these vulnerabilities.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.