Upgrade Your Drupal Skills
We trained 1,000+ Drupal Developers over the last decade.
See Advanced Courses NAH, I know EnoughSA-CORE-2013-002 - Drupal core - Denial of service
- Advisory ID: DRUPAL-SA-CORE-2013-002
- Project: Drupal core
- Version: 7.x
- Date: 2013-February-20
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Denial of service
Description
Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive.
Please see the Drupal 7.20 release notes for important notes about the changes which were made to fix this issue, since some sites will require extra testing and care when deploying this Drupal core release.
CVE identifier(s) issued
- CVE-2013-0316
Versions affected
- Drupal core 7.x versions prior to 7.20.
Solution
Install the latest version:
Also see the Drupal core project page.
Reported by
Fixed by
Coordinated by
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
About Drupal Sun
Drupal Sun is an Evolving Web project. It allows you to:
- Do full-text search on all the articles in Drupal Planet (thanks to Apache Solr)
- Facet based on tags, author, or feed
- Flip through articles quickly (with j/k or arrow keys) to find what you're interested in
- View the entire article text inline, or in the context of the site where it was created
See the blog post at Evolving Web