fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Drupal Issues Emergency Fix For Critical Bug With Known Exploits

Drupal Issues Emergency Fix For Critical Bug With Known Exploits

Drupal has released emergency security updates to address a critical vulnerability with known exploits that could allow for arbitrary PHP code execution on some CMS versions.

“According to the regular security release window schedule, November 25th would not typically be a core security window,” Drupal said.

Also Read: Limiting Location Data Exposure: 8 Best Practices

“However, this release is necessary because there are known exploits for one of core’s dependencies and some configurations of Drupal are vulnerable.”

Right now, over 944,000 websites are using vulnerable Drupal versions out of a total of 1,120,941 according to official stats. “These statistics are incomplete; only Drupal websites using the Update Status module are included in the data,” Drupal says.

Drupal is also used by 2.5% of all websites with content management systems, making it the fourth most popular CMS on the Internet, after WordPress (63.8%), Shopify (5.1%), and Joomla (3.6%).

Security updates for all affected versions

According to Drupal’s security advisory, the vulnerability is caused by two bugs in the PEAR Archive_Tar library used by the content management system (CMS) tracked as CVE-2020-28948 and CVE-2020-28949.

The critical Drupal code execution vulnerability can be exploited if the CMS is configured to allow and process .tar, .tar.gz, .bz2, or .tlz file uploads.

Multiple Drupal security updates were issued to fix the bug and to allow admins to quickly patch their servers to protect them from potential attacks.

Drupal recommends installing the following updates on affected servers:

“Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage,” Drupal’s security team said.

Mitigation measures also available

Mitigation measures are also available for admins who cannot immediately update the Drupal installation on their servers.

To do that, site admins are advised to block untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files to temporarily mitigate the issue.

Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert today urging admins and users to upgrade to the patched Drupal versions.

Also Read: 10 Practical Benefits of Managed IT Services

Last week, Drupal patched another critical remote code execution vulnerability tracked as CVE-2020-13671 and caused by improper filenames sanitization for uploaded files. 

“Pay specific attention to the following file extensions, which should be considered dangerous even when followed by one or more additional extensions: phar, PHP, pl, py, cgi, asp, js, HTML, htm, and phtml” the company said. 

“This list is not exhaustive, so evaluate security concerns for other unmunged extensions on a case-by-case basis.”

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us