Drupal flicks fix to nix OpenID admin account hijack hole

Drupal has shuttered a flaw in its implementation of OpenID that allows attackers to log in as web site administrators.

The flaw (CVE-2015-3234) is the most critical of four and affects versions six and seven of the content management system.

Drupal’s security team say attackers can target unpatched systems if they hold an OpenID account. “A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts,” the team wrote in an advisory .

Tags: 

Read more: Drupal flicks fix to nix OpenID admin account hijack hole

Story added 19. June 2015, content source with full text you can find at link above.