Source: IOActive Labs Research: Drupal – Insecure Update Process
Issue #1: Whenever the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning.
Issue #2: An attacker may force an admin to check for updates due to a CSRF vulnerability on the update functionality
Issue #3: Drupal security updates are transferred unencrypted without checking the authenticity, which could lead to code execution and database access.
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft
robin@edgarbv.com
https://www.edgarbv.com