Drupal Patches Flaw That Allowed Hackers to Forge Password Reset URLs

Content management system Drupal is addressing 2 moderately essential vulnerabilities on with the discharge of versions vi.35 and 7.35.

In a security informative on its web site, Drupal aforesaid that one among the vulnerabilities enabled parole reset URLs to be cast underneath sure circumstances. this is able to permit AN assaulter to realize access to a different user’s account while not knowing the account’s parole.

Though the access bypass vulnerability may have an effect on Drupal vi and seven sites, “Drupal vi sites with empty parole hashes, or a parole field with a guessable string within the info, area unit particularly susceptible to this vulnerability,” consistent with Drupal.org.

The second vulnerability allowed malicious users to construct a uniform resource locator that may trick users into being redirected to a third party web site.

“Drupal core ANd contributed modules often use a ‘destination’ question string parameter in URLs to send users to a replacement destination once finishing an action on the present page,” Drupal’s security informative aforesaid.

There area unit quite one.1 million websites victimization Drupal, and version seven is that the most well-liked with roughly 983,000 installs, consistent with a report by SecurityWeek.

Drupal Patches Flaw That Allowed Hackers to Forge Password Reset URLs