Drupal Releases Security Updates for Open Semantic Framework (OSF)

The very popular website Content Management System (CMS) Drupal has released security updates to resolve 3 security issues within version 7 of their product when the Open Semantic Framework (OSF) module is installed.

One issue involves a Cross-site Scripting (XSS) that can be exploited by visiting a specifically crafted URL (a website link) but only when the OSF Ontology module is installed and enabled within your website.

The second issue can be exploited using a Cross Site Request Forgery (CSRF) attack that would allow the attack to obtain the privileges of the logged in Drupal user (which could be a Drupal administrator) to create new OSF datasets (most likely to contain false or misleading data). Only websites that have the OSF Import module installed and enabled could be vulnerable to this issue.

The final issue is present in both the OSF Import and Ontology modules mentioned above and could allow an attacker to delete any file of their choice from your Content Management System (CMS).

All 3 issues involve a user or an administrator of the Content Management System visiting a specifically crafted URL (a website link) to exploit these vulnerabilities. In order to reduce the risk of these issues being exploited (this should be used in conjunction with installing the necessary updates mentioned in the Drupal advisory) I would suggest using caution when clicking on any links in emails, instant messages or social networking posts when the links were received unexpectedly or the wording of such messages is suspicious. For shortened links, consider using a preview service to check the destination of the full link before visiting it. Links to preview services are available within the “Protecting Your PC” page of this blog.

Drupal users should upgrade to version 7.x-3.1 of the OSF module to resolve to these issues. Further information and steps to install the updates are available in the Drupal Security Advisory.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s