Drupal Core Vulnerability Released – Denial of Service – Advisory SA-CORE-2013-002
As if the week wasn’t exciting enough, Drupal has released a core vulnerability that leaves it susceptible to Denial of Service attacks.
Metadata for this vulnerability is:
Advisory ID: DRUPAL-SA-CORE-2013-002 Project: Drupal core Version: 7.x Date: 2013-February-20 Security risk: Critical Exploitable from: Remote Vulnerability: Denial of service
Description of the vulnerability:
Drupal core’s Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load.
This vulnerability has been patched and it’s recommended that all Drupal sites upgrade to the latest version, 7.20.
I will say this about this announcement, I kind of wish other platforms would do something similar to disclose security issues to the public. Kudos Drupal security team for your approach to disclosure.