Protection against critical Drupal security bug SA-CORE-2018-002

The authors of the Drupal CMS software today announced a “highly critical” Drupal security bug (SA-CORE-2018-002).

This vulnerability is likely to be widely exploited soon. If you use Drupal 6, 7 or 8 without updating it, your site will be compromised (taken over by “hackers”).

To protect our customers who have installed Drupal, we have “patched” the vulnerable files on every copy of Drupal on our servers, blocking the attacks that we expect to see in the future. We used these patches:

So our customers are protected against this particular problem. But that doesn’t mean you shouldn’t upgrade Drupal: older versions also have other security bugs. If you’ve installed the Drupal software on your site, please make absolutely sure you’ve upgraded to the latest version today.

Our servers are not vulnerable to the critical PHPMailer security bug CVE-2016-10033

Many scripts that send e-mail include a file called PHPMailer. The file is distributed as part of WordPress, Joomla, Drupal, and lots more software.

Recently, a security researcher discovered a security bug in PHPMailer. The bug could allow “hackers” to take over a website.

However, sites hosted on our servers are not vulnerable to this problem. (Despite that, you should always update your copy of WordPress, Joomla, or any other software when there’s a new version available.)

Read the rest of this entry »

Protection against a critical Drupal security bug

The authors of the Drupal CMS software recently announced a “highly critical” Drupal security bug (CVE-2014-3704). This vulnerability is being very widely exploited: If you use Drupal 7 on a server without protection, and you haven’t upgraded to Drupal 7.32, your site is soon going to be compromised (taken over by “hackers”).

To protect our customers who have installed Drupal, yesterday we added security rules to block the common attacks. And today, we “patched” the vulnerable “database.inc” file on every copy of Drupal on our servers, blocking the more complicated attacks that we expect to see in the future.

So our customers are protected against this particular problem. But that doesn’t mean you shouldn’t upgrade Drupal: older versions also have other security bugs. So if you’ve installed the Drupal 7 software on your site, please make absolutely sure you’ve upgraded to version 7.32 today.

Read the rest of this entry »