• Advisory ID: PSA-2011-001
  • Project: Drupal core and contrib
  • Versions: All versions
  • Date: 2011-February-17
  • Security risk: Not critical

Description

This is a public service announcement regarding a recent social engineering attack via the following mail purporting to come from the Drupal security team.

Hello,

I am a member of the Drupal security team. Our installation records show that your site runs Drupal on PHP [version] and [server]. We have recently found a security problem with that configuration which could allow a hacker to get into the site and delete any posts they want. We have not posted anything about this yet publicly as we want to get this patch out to as many people as possible first.

We have developed a patch for this bug - all you need to do is upload this file to your site in the sites/default/files/ folder (do not change the name of the file) and Drupal will see it and install it for you. We recommend you do this as soon as possible.

Sincerely,
James
Drupal security team

The mail was sent with Drupal Security <drupal_s@yahoo.com> as the (easily-forged) "From" address. It also contained an attachment that was said to be a patch that had to be uploaded and installed. Needless to say that this file contained code to make the system accessible from the outside. If you received a message like the above, do not upload the attached file.

How the Drupal Security Team communicates:

  1. The Security Team does not supply patches to sites.
  2. The Security Team will never ask site administrators to upload random files to their site. We only recommend to update to latest core or contrib releases downloaded from drupal.org.
  3. The Security Team officially uses three forms of communication for Drupal Security Advisories; the update report in your Drupal installation, the posts and RSS feed on http://drupal.org/security, and the newsletter available from your Drupal.org user page. The Drupal Security Team does not publish to a Twitter feed or provide any other official communication channel.
  4. The Security Team will never ask for passwords for your host or your Drupal install.

If you receive communications from someone saying they are a member of the Security Team and their request is questionable, please forward the email to the team at security@drupal.org.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.