496
Security problem with your Drupal configuration
Today the Drupal Security Team sent out a message in regard to emails being sent to people asking them to install a file on their Drupal server to make sure that some security problem in Drupal Core was plugged before a hacker finds it.
I wonder how many fell for it... probably not many since only the smartest work with Drupal, although there could be a few silly billies out there too!?
The interesting point of the message sent to Drupal users is that it says that the Drupal Security Team did not announce anything on their website. That's contrary to even receiving such a (public) message since those are posted on Drupal and then broadcasted to people who registered to receive those messages.
This being said, the email clearly shows that the Drupal people think some Drupal users could very well fall for it.
Oh! And as a side note on this one... It also shows that Drupal is otherwise quite strong in regard to security since it would not require someone to install a by-pass Trojan script to otherwise break the system. I guess that means I at least made one good choice in my life. 8-)
* Advisory ID: PSA-2011-001 * Project: Drupal core and contrib * Versions: All versions * Date: 2011-February-17 * Security risk: Not critical -------- DESCRIPTION --------------------------------------------------------- This is a public service announcement regarding a recent social engineering attack via the following mail purporting to come from the Drupal security team. >Hello, I am a member of the Drupal security team. Our installation records >show that your site runs Drupal on PHP [version] and [server]. We have >recently found a security problem with that configuration which could allow >a hacker to get into the site and delete any posts they want. We have not >posted anything about this yet publicly as we want to get this patch out to >as many people as possible first. We have developed a patch for this bug - >all you need to do is upload this file to your site in the >sites/default/files/ folder (do not change the name of the file) and Drupal >will see it and install it for you. We recommend you do this as soon as >possible. Sincerely, James Drupal security team The mail was sent with Drupal Security <drupal_s@yahoo.com> as the (easily-forged) "From" address. It also contained an attachment that was said to be a patch that had to be uploaded and installed. Needless to say that this file contained code to make the system accessible from the outside. If you received a message like the above, do not upload the attached file. How the Drupal Security Team communicates: 1) The Security Team does not supply patches to sites. 2) The Security Team will never ask site administrators to upload random files to their site. We only recommend to update to latest core or contrib releases downloaded from drupal.org. 3) The Security Team officially uses three forms of communication for Drupal Security Advisories; the update report in your Drupal installation, the posts and RSS feed on https://drupal.org/security, and the newsletter available from your Drupal.org user page. The Drupal Security Team does not publish to a Twitter feed or provide any other official communication channel. 4) The Security Team will never ask for passwords for your host or your Drupal install. If you receive communications from someone saying they are a member of the Security Team and their request is questionable, please forward the email to the team at security@drupal.org. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at https://drupal.org/contact. _______________________________________________ Security-news mailing list Security-news@drupal.org http://lists.drupal.org/mailman/listinfo/security-news
