Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2019-October-02
Security risk:
Vulnerability:
Insecure server configuration
Description:
This module enables you to automatically download and update the site's interface translation by fetching them from localize.drupal.org or any other Localization server.
The module doesn't sufficiently protect the directory it stores translation files in. It's conventional for directories which may be writeable to be protected by a .htaccess file to prevent malicious PHP files placed within them being executed by the webserver. This vulnerability is mitigated by the fact that an attacker typically wouldn't be able to place a malicious file in the module's storage directory.
Solution:
Install the latest version:
- If you use the Localization Update module for Drupal 7.x-1.x, upgrade to Localization Update 7.x-1.2
- If you use the Localization Update module for Drupal 7.x-2.x, upgrade to Localization Update 7.x-2.3
Also see the Localization update project page.
Reported By:
Fixed By:
Coordinated By:
- Damien McKenna of the Drupal Security Team
