Drupal Core Vulnerability Released – Denial of Service – Advisory SA-CORE-2013-002

As if the week wasn’t exciting enough, Drupal has released a core vulnerability that leaves it susceptible to Denial of Service attacks.

Metadata for this vulnerability is:

Advisory ID: DRUPAL-SA-CORE-2013-002
Project: Drupal core
Version: 7.x
Date: 2013-February-20
Security risk: Critical
Exploitable from: Remote
Vulnerability: Denial of service

Description of the vulnerability:

Drupal core’s Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load.

This vulnerability has been patched and it’s recommended that all Drupal sites upgrade to the latest version, 7.20.

I will say this about this announcement, I kind of wish other platforms would do something similar to disclose security issues to the public. Kudos Drupal security team for your approach to disclosure.

Scan your website for free:
About Tony Perez

I'm a technologist with a passion for the Information Security domain. I am especially interested in malware reverse engineering, incident handling and response as well as offensive counter measures. Catch my personal rants on tonyonsecurity.com and follow on twitter at perezbox.

  • http://www.yepinkizi.com/ yepi kizi

    Thank you for this post