Security problem with your Drupal configuration

Today the Drupal Security Team sent out a message in regard to emails being sent to people asking them to install a file on their Drupal server to make sure that some security problem in Drupal Core was plugged before a hacker finds it.

I wonder how many fell for it... probably not many since only the smartest work with Drupal, although there could be a few silly billies out there too!?

The interesting point of the message sent to Drupal users is that it says that the Drupal Security Team did not announce anything on their website. That's contrary to even receiving such a (public) message since those are posted on Drupal and then broadcasted to people who registered to receive those messages.

This being said, the email clearly shows that the Drupal people think some Drupal users could very well fall for it.

Oh! And as a side note on this one... It also shows that Drupal is otherwise quite strong in regard to security since it would not require someone to install a by-pass Trojan script to otherwise break the system. I guess that means I at least made one good choice in my life. 8-)

  * Advisory ID: PSA-2011-001
  * Project: Drupal core and contrib
  * Versions: All versions
  * Date: 2011-February-17
  * Security risk: Not critical

-------- DESCRIPTION  

This is a public service announcement regarding a recent social engineering
attack via the following mail purporting to come from the Drupal security
 >Hello, I am a member of the Drupal security team. Our installation records
 >show that your site runs Drupal on PHP [version] and [server]. We have
 >recently found a security problem with that configuration which could allow
 >a hacker to get into the site and delete any posts they want. We have not
 >posted anything about this yet publicly as we want to get this patch out to
 >as many people as possible first. We have developed a patch for this bug -
 >all you need to do is upload this file to your site in the
 >sites/default/files/ folder (do not change the name of the file) and Drupal
 >will see it and install it for you. We recommend you do this as soon as
 >possible. Sincerely, James Drupal security team
The mail was sent with Drupal Security <> as the
(easily-forged) "From" address. It also contained an attachment that was said
to be a patch that had to be uploaded and installed. Needless to say that
this file contained code to make the system accessible from the outside. If
you received a message like the above, do not upload the attached file. How
the Drupal Security Team communicates:
  1) The Security Team does not supply patches to sites.
  2) The Security Team will never ask site administrators to upload random
     files to their site. We only recommend to update to latest core or
     contrib releases downloaded from
  3) The Security Team officially uses three forms of communication for Drupal
     Security Advisories; the update report in your Drupal installation, the
     posts and RSS feed on, and the newsletter
     available from your user page. The Drupal Security Team does
     not publish to a Twitter feed or provide any other official communication
  4) The Security Team will never ask for passwords for your host or your
     Drupal install.

If you receive communications from someone saying they are a member of the
Security Team and their request is questionable, please forward the email to
the team at
-------- CONTACT  

The security team for Drupal can be reached at security at or via
the form at

Security-news mailing list