14 DAY TRIAL // Drupal 7.24 and 6.29 have been released to address a number of security holes. Users are advised to update their installations as soon as possible.
According to the developers, the updates have been released solely to fix the vulnerabilities. There are no new features or non-security-related bug fixes.
Multiple vulnerabilities exist because of an issue with the cross-site request forgery (CSRF) protection. By leveraging the security holes in some contributed modules, cybercriminals could have remotely executed arbitrary code.
A weakness in the pseudorandom number generator for security-related strings could have been exploited to predict the strings with the aid of brute-force tools.
In addition, cross-site scripting vulnerabilities have been identified in the Image and Color modules in Drupal 7. The Overlay module has been plagued by an open redirect flaw.
Drupal uses a .htaccess file to prevent the execution of arbitrary PHP scripts on the Apache web server. However, on certain Apache configurations, the protection doesn’t work. The latest update addresses this problem.
Finally, a security token validation issue that could have been leveraged for access bypass has been fixed.
You can download Drupal from Softpedia.