Menu
Drupal to secure its update process with HTTPS

Drupal to secure its update process with HTTPS

The Drupal security team is working to add HTTPS support to updates and to fix other issues with the update mechanism

Developers of the popular Drupal content management system are working to secure the software's update mechanism after a researcher recently found weaknesses in it.

Last week, researcher Fernando Arnaboldi from security firm IOActive disclosed several issues with the update mechanism in Drupal: the failure of the back-end administration panel to report update errors, a cross-site request forgery (CSRF) flaw that could allow attackers to force admins to repeatedly trigger update checks, and the lack of encryption for update downloads.

The last issue was the most significant one, because it could have allowed attackers who could intercept the traffic between a Drupal-based site and the official Drupal servers, to inject back-doored updates. Such an attack could lead to the compromise of the site and its database.

Fortunately, the Drupal security team was notified in advance and is working to fix the update shortcomings. Over the past few days the team has switched the project's infrastructure to support HTTPS so that the update processes for the Drupal core and its modules use secure channels.

For now the team has enabled HTTPS updates in Drush, a popular command-line shell and scripting interface for Drupal. It has also switched all download links from the project's pages to HTTPS.

The core update status module still doesn't use secure transport, but this is being worked on and will be deployed in the next Drupal update, the security team said in a blog post.

For now, website administrators can use a supported version of Drush to deploy updates or can manually download the release archives from their corresponding project pages.

The failed update notification issue and the CSRF flaw have not been addressed yet, but the Drupal security team opened tracking tickets for them and asked developers to contribute patches.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments