The spotlight is back on Drupal with the 8.0.0 release. The successful launch is a testament to the hard work put in by members of the Drupal community, but Drupal 7 still has a huge install base and likely will for many years to come. To support Drupal 7 development, let's take a look at a testing platform built exclusively for the platform. Red Test is an open source integration testing framework aimed at making life easier for Drupal developers.
The update mechanism of the popular Drupal content management system is insecure in several ways, allowing attackers to trick administrators into installing malicious updates.
Researcher Fernando Arnaboldi from security firm IOActive noticed that Drupal will not inform administrators that an update check has failed, for example due to inability to access the update server. Instead, the back-end panel will continue to report that the CMS is up to date, even if it's not.
This can be a problem, considering that hackers are quick to exploit vulnerabilities in popular content management systems like Drupal, WordPress or Joomla, after they appear. In one case in 2014, users had only a seven-hour window to deploy a critical Drupal patch until attackers started exploiting the vulnerability that it fixed.