The Drupal team on Wednesday (February 24) released new
versions of their content management system (CMS) which has addressed ten
security vulnerabilities discovered in all three major branches; i.e. 6.x, 7.x,
and 8.x.
Launched in 2008, it was the backbone behind many projects
that made the company famous. At a time, there were over 300,000 Drupal 6 sites
that were reporting to Drupal.org. However, the version reached its end-of-life
(EOL) mark and is now officially unsupported. No further security updates or
patches will be supplied for the version 6 core or its modules as of Feb. 24,
2016.
Among the vulnerabilities it consisted, one was a critical
one, six were moderate and three were less critical. The critical issue
included uploading of file that locally denied a service and openly redirected
on the issue on 404 error page which rerouted users to malicious links.
The team also patched an issue which also affected Wordpress
sites.
The moderate bugs included an HTTP header injection using
line breaks while less critical included a bug which granted some user accounts
extra privileges.
Drupal 6 reached its peak at the beginning of 2011, just before
Drupal 7 was released. Though, for the last 5 years, the number of active
Drupal 6 sites was slowly declining.
Drupal 7 peaked at over 1.3 million sites: it was far more
popular than Drupal 6 ever was. The question now is whether Drupal 8 can
continue the momentum that started back in 2008 with the release of Drupal 6.
While WordPress is still the most popular CMS for websites,
Drupal ranks second. One in every 10 sites have been using version 6 but now as
its support has ended, it may become a target for criminals. Like Windows XP,
it will be unpatched and unsupported by the developers, becoming vulnerable to
any exploits found in the future.
If you have a Drupal 6 website then you won’t be receiving
any more official security advisories or patches. So, you should plan updating
your site before it becomes a prey to criminal minds.