Yeah, as a guy who puts together Drupal sites, this has been a shockingly bad fuckup somewhere. No one noticed that it was a problem - this has been in the code since 7.0 and it's now 7.32 - and then when it was announced it may not have quite been announced as strongly as it could have been, because I didn't realize at first that scrubbing the array indexes on this one line was that important.
And I'm really glad I never got around to updating my personal sites from Drupal 6.x yet, because they aren't vulnerable to this attack.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
no subject
Date: 2014-10-31 12:35 am (UTC)And I'm really glad I never got around to updating my personal sites from Drupal 6.x yet, because they aren't vulnerable to this attack.