Drupal flicks fix to nix OpenID admin account hijack hole
Drupal has shuttered a flaw in its implementation of OpenID that allows attackers to log in as web site administrators.
The flaw (CVE-2015-3234) is the most critical of four and affects versions six and seven of the content management system.
Drupal’s security team say attackers can target unpatched systems if they hold an OpenID account. “A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts,” the team wrote in an advisory .