Drupal Fixes Flaw that Allows Account Hijacking
Drupal has announced that it has patched a critical bug in
it’s content management system (version 6 and 7) that allows an attacker
to hijack administrators’ accounts.
The vulnerability is in the OpenID module in Drupal that enables a
malicious user to log in as other users on the site, including
administrators, and hijack their accounts.
“This vulnerability is mitigated by the fact that the victim must
have an account with an associated OpenID identity from a particular set
of OpenID providers (including, but not limited to, Verisign,
LiveJournal, or StackExchange),” the advisory says.
Drupal has addressed the problem in it’s new security update, along with two patches to fix open redirect bugs in Drupal 7.
Administrators using the affected versions are advised to upgrade to the latest version available.
