14 DAY TRIAL // The Drupal team has issued a fast-track update to fix an open redirect vulnerability that affected the administrative interface, which was incompletely patched in June by Drupal 7.38.
To be more exact, the vulnerability was found in the Overlay module that comes included by default with all Drupal installations. This module was added in version 7.x as a way to open administrative pages, floating on top of the Drupal site's frontend, without opening a dedicated browser tab with the classic admin panel.
Back in June, the Drupal team released version 7.38 to fix an "open redirect" issue in the same module.
According to OWASP (Open Web Application Security Project), "an open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation." A vulnerability in this mechanism allows attackers to redirect users to malicious Web pages sites without being aware of it and is usually employed in phishing attacks.
In Drupal, the Overlay module loads various sections of the administrative panel based on URL parameters. Attackers could have passed malicious parameters to this URL, and redirected Drupal admins to a fake login page where they could have harvested their credentials.
The vulnerability affected only users already logged in the admin panel.
Drupal 7.41 contains only this security fix, and all webmasters are encouraged to update their sites as quick as possible. You can download Drupal from GitHub, their official website, or from a Softpedia Mirror.