Major security updates have been issued for the Drupal framework that are thought to fix the flaws used to leak the Panama Papers data earlier this year.
Drupal is an open source platform used for content management on many major websites, and is often favoured by governments and big companies.
It is believed that the huge leak of data on the financial matters of world leaders and business executives from Panama-based law firm Mossack Fonseca was caused by a Drupal flaw that allowed the data to be accessed.
Drupal has now fixed two major problems affecting the platform, saying that as many as 10,000 sites are affected.
"These contributed modules are used on between 1,000 and 10,000 sites. The Drupal security team urges you to reserve time for module updates because exploits are expected to be developed within hours/days," the company said in a security advisory.
The first fix relates to a module dubbed RESTWS that enables users to “expose Drupal entities as RESTful web services”. The fix for this module is listed as Highly Critical and affects all 7.x versions of the platform.
“RESTWS alters the default page callbacks for entities to provide additional functionality,” Drupal said.
“A vulnerability in this approach allows an attacker to send specially crafted requests resulting in arbitrary PHP execution. There are no mitigating factors. This vulnerability can be exploited by anonymous users.”
The second fix is for a module called Coder that can be used to check Drupal code “against coding standards and other best practices. It can also fix coding standard violations and perform basic upgrades on modules.”
The fix is also rated as Highly Critical and again affects all 7.x versions of the Drupal platform.
“The module doesn't sufficiently validate user inputs in a script file that has the php extension. A malicious unauthenticated user can make requests directly to this file to execute arbitrary php code,” the organisation said.
“There are no mitigating factors. The module does not need to be enabled for this to be exploited. Its presence on the file system and being reachable from the web are sufficient.”
The fixes should be welcome by many UK organisations, as recent research from security company RiskIQ found that over 300 websites owned by the 30 biggest private companies in the UK contain Drupal flaws.
Samsung very much in third place behind Android Pay and Apple Pay
Moribund Twitter ads nil, nada, zero users, while revenues fall five per cent to $574m
Wisconsin claims deal could result in 13,000 jobs and $10bn of investment from Foxconn by 2020
Streaming music is the future, whether you like it or not