News
The crystal ball that I am currently looking through is telling me that there is at least one new vulnerability. I am convinced that some new vulnerabilities currently exist that could potentially cause damage to a persons computer. It is unfortunate that vulnerabilities keep on emerging, maybe one day a big virtual stop sign will appear amongst all the online traffic and stop the vulnerabilities dead in their tracks. I can dream can't I? Getting back to reality I am here to inform you about a new vulnerability that has been discovered in none other than Drupal. For those of you who may be wondering what Drupal is, allow me to explain. Drupal is a wonderful open source content management platform. It provides its users with many exciting features. You can perform a variety of tasks on a variety of web sites with the use of Drupal. The program was developed and is maintained by a huge community of computer developers, which help to ensure its credibility. It may be used with any browser, with the inclusion of Mozilla Firefox 2. Some of the files of Mozilla Firefox 2 may include but are not limited to the following: firefox-l10n.js, inspector-cmdline.js, nsBrowserContentHandler.js, nsSidebar.js, nsXmlRpcClient.jS as well as reporter.js. Now let me get down to the horrible part that you knew would come eventually. Yes you have guessed it; I am going to explain to you as best as I can, how Drupal is affected. The Bubbletimer module for Drupal is vulnerable to HTML injection exploits. This is due to the factor that the application itself isn't able to change the supplied input correctly prior to making use of it for content which is dynamically generated. It is quite nail biting If malicious online characters want to exploit this vulnerability they could do so fairly easily, all they would require is the use of a browser. The solution for this vulnerability would be for all users to update to the latest version and apply the relevant updates. At the end of the day, it would be worth it to take a few moments out of your weekend to spend on the security of your computer. |
to know that manipulated HTML as well as script code can run in the context of an affected browser. As a result of this, it allows malicious individuals the ability to take cookie based authentic details or control the way the site appears to the user. It is not surprising to know that various other attacks and online malicious activities are highly possible.
Software Downloads
User Comments
If we are talking about the security of Drupal overall; what about the built in session controls, the data abstraction that automatically sanitizes data as it goes into the SQL database, extensive right management that can easily be the basis for a sophisticated RBACL?
Drupal comes fortified by default and you can add additional modules or change the administrative settings to eliminate the built in security.
Also, your explanation of what Drupal is makes Drupal sound like a web browser plugin.
There's a bit of ambiguity in that statement: the reason the BubbleTimer module is vulnerable to XSS attacks is because it <em>did not use</em> the HTML sanitizing functions that are built into the Drupal APIs. Drupal is absolutely able to 'change the supplied input... prior to making use of it'; without that ability, every single input field would be an XSS hole.
It's still up to developers who write plugins and addons to use those APIs, of course -- any system that supports plugin mechanisms needs to deal with the fact that third parties can write insecure code and release it. Drupal provides detailed instructions for developers in its handbook, at http://drupal.org/writing-secure-code -- if you're considering writing any code that will run on a Drupal site, be sure to check it out!