Drupal uncrosses fingers, promises secured patching

Drupal is switching to secured channels for updating its content management system, after IOActive security bod Fernando Arnaboldi reported it sought patches in the clear.

More than a million sites use the popular content management system, making it a significant target for hackers.

The vulnerabilities are not earth-shattering but are enough to warrant fixes.

"[The exposed update process] is accurate and in the past few days we have been working to switch infrastructure and update processes to use secure channels," Drupal security wonks said in response to the disclosures.

"Furthermore, we've investigated and concluded the following download channels are or were affected.

"DNS poisoning or man-in-the-middle attacks between Drupal.org and the person or program performing the download could result in a download of unverified code, [but] both of these would require a bad actor to be able to have control of the network at some point between your site and Drupal.org's servers."

The most common download methods now use HTTPS by default while SSL will be slapped on anonymous downloads via git. An updated Drupal core will follow.

Arnaboldi revealed Drupal would inaccurately state it had been updated when patching had failed due to network connectivity issues. Drupal said this "should" be fixed, but noted it was incorrectly stated on only one page.

Patching Drupal is critical given its popularity. In October 2014, attackers took mere hours to compromise untold piles of sites whose admins had failed to apply a patch against a dangerous SQL injection flaw.

Drupal downplayed the remaining security issue, noting that cross-site request forgery attacks to drain server resources would require a lot of resources.

The project called for interested parties to help develop the cross-site request forgery patch. ®