Security Updates Released for 3rd Party Drupal Modules

Security updates for Drupal (the popular Content Management System (CMS)) modules have been available earlier this week.

Security advisories were published addressing 2 moderately critical issues found within these modules.

For the Twitter module, an issue was discovered that allowed any authenticated account to post tweets rather than just the Twitter account belonging to the owner of the installed module. This issue would also allow any other account to delete the attached Twitter account. A partial mitigation is that an attacker would need to already have an account with a role allowing them to post to Twitter.

The second advisory concerns the user of the RESTful API (Application Programming Interface). Authenticated users could inadvertently have their pages cached as anonymous users which potentially could allow anonymous page requests to access pages that would otherwise be denied to them.

How Can I Protect Myself From These Issues?
If you make use of either of the above mentioned modules in conjunction with Drupal, please follow the steps/links within the advisories listed below to resolve these issues:

Twitter – Moderately Critical – Access bypass – SA-CONTRIB-2015-146
RESTful – Moderately Critical – Access bypass – SA-CONTRIB-2015-147

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s