The Drupal team on Wednesday (February 24) released new versions of their content management system (CMS) which has addressed ten security vulnerabilities discovered in all three major branches; i.e. 6.x, 7.x, and 8.x.
Launched in 2008, it was the backbone behind many projects that made the company famous. At a time, there were over 300,000 Drupal 6 sites that were reporting to Drupal.org. However, the version reached its end-of-life (EOL) mark and is now officially unsupported. No further security updates or patches will be supplied for the version 6 core or its modules as of Feb. 24, 2016.
Among the vulnerabilities it consisted, one was a critical one, six were moderate and three were less critical. The critical issue included uploading of file that locally denied a service and openly redirected on the issue on 404 error page which rerouted users to malicious links.
The team also patched an issue which also affected Wordpress sites.
The moderate bugs included an HTTP header injection using line breaks while less critical included a bug which granted some user accounts extra privileges.
Drupal 6 reached its peak at the beginning of 2011, just before Drupal 7 was released. Though, for the last 5 years, the number of active Drupal 6 sites was slowly declining.
Drupal 7 peaked at over 1.3 million sites: it was far more popular than Drupal 6 ever was. The question now is whether Drupal 8 can continue the momentum that started back in 2008 with the release of Drupal 6.
While WordPress is still the most popular CMS for websites, Drupal ranks second. One in every 10 sites have been using version 6 but now as its support has ended, it may become a target for criminals. Like Windows XP, it will be unpatched and unsupported by the developers, becoming vulnerable to any exploits found in the future.
If you have a Drupal 6 website then you won’t be receiving any more official security advisories or patches. So, you should plan updating your site before it becomes a prey to criminal minds.