Drupal Fixes Flaw that Allows Account Hijacking

Drupal has announced that it has patched a critical bug in it’s content management system (version 6 and 7) that allows an attacker to hijack administrators’ accounts.

The vulnerability is in the OpenID module in Drupal that enables a malicious user to log in as other users on the site, including administrators, and hijack their accounts.

“This vulnerability is mitigated by the fact that the victim must have an account with an associated OpenID identity from a particular set of OpenID providers (including, but not limited to, Verisign, LiveJournal, or StackExchange),” the advisory says.

Drupal has addressed the problem in it’s new security update, along with two patches to fix open redirect bugs in Drupal 7.

Administrators using the affected versions are advised to upgrade to the latest version available.